Versions (2)
Version DetailsCurrent
Rev: 2 • May 3, 2024, 1:00 AM🐾 - 🔔 Suspicious Kerberos AS-Request to Active Directory 🪟 - Possible AS-REP Roasting Attack via Rubeus 🥷 - T1558.004
alert tcp any any -> $HOME_NET 88 (msg:"🐾 - 🔔 Suspicious Kerberos AS-Request to Active Directory 🪟 - Possible AS-REP Roasting Attack via Rubeus 🥷 - T1558.004"; flow: to_server, stateless; content:"|a0 07 03 05 00 40 80 00 10 a1|"; content:"|6b 72 62 74 67 74|"; fast_pattern; content:"|a2 03 02 01 0a|"; content:!"|a2 03 02 01 0c|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/GhostPack/Rubeus#asreproast; reference:url,https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat; metadata:created_at 2024_05_03, updated_at 2025_04_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321256; rev:2; classtype:attempted-recon;)
May 3, 2024, 1:00 AM
Apr 3, 2025, 12:00 PM
May 3, 2024, 1:00 AM
May 29, 2025, 11:12 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules