LoFP / service accounts used on legacy systems (e.g. netapp)

Techniques

Sample rules

Suspicious Kerberos RC4 Ticket Encryption

source: sigma
technicques:
- t1558
- t1558.003

Description

Detects service ticket requests using RC4 encryption type

Detection logic

condition: selection and not reduction
reduction:
  ServiceName|endswith: $
selection:
  EventID: 4769
  TicketEncryptionType: '0x17'
  TicketOptions: '0x40810000'