RC4 Kerberos Service Ticket Requests - Potential Kerberoasting
Last updated on:
In this page
About the rule
Rule Type
Standard
Rule Description
Detects Kerberos service ticket requests using RC4 encryption for non-machine service accounts.
Severity
Trouble
Rule Requirement
Criteria
Action1:
actionname = "Kerberos Activity" AND (ENCRYPTIONTYPE = "0x17" AND USERNAME notendswith "$" AND SERVICENAME != "krbtgt")
select Action1.HOSTNAME,Action1.MESSAGE,Action1.USERNAME,Action1.DOMAIN,Action1.SERVICENAME,Action1.REMOTEHOST,Action1.ERRORCODE,Action1.ENCRYPTIONTYPE,Action1.GUID
Detection
Execution Mode
realtime
Log Sources
Active Directory


