Techniques
Sample rules
Kerberos Network Traffic RC4 Ticket Encryption
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects kerberos TGS request using RC4 encryption which may be indicative of kerberoasting
Detection logic
computer_acct:
service|startswith: $
condition: selection and not computer_acct
selection:
cipher: rc4-hmac
request_type: TGS