Techniques
Sample rules
Suspicious Kerberos RC4 Ticket Encryption
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects service ticket requests using RC4 encryption type
Detection logic
condition: selection and not reduction
reduction:
ServiceName|endswith: $
selection:
EventID: 4769
TicketEncryptionType: '0x17'
TicketOptions: '0x40810000'