Techniques
Sample rules
Kerberoasting Activity - Initial Query
- source: sigma
- technicques:
- t1558
- t1558.003
Description
This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.
Detection logic
condition: selection and not 1 of filter_main_*
filter_main_:
ServiceName|endswith:
- krbtgt
- $
TargetUserName|contains: $@
selection:
EventID: 4769
Status: '0x0'
TicketEncryptionType: '0x17'