Versions (2)
Version DetailsCurrent
Rev: 4 • Feb 21, 2025, 12:00 PM🐾 - 🚨 TGS Granted by 🪟 Service after Suspicious Kerberos TGS-Request 🥷 - T1558
alert tcp $HOME_NET 88 -> any any (msg:"🐾 - 🚨 TGS Granted by 🪟 Service after Suspicious Kerberos TGS-Request 🥷 - T1558"; flow:to_client, stateless; flowbits:isset,pptrls.suspkrbtgsrep; content:"|30 82|"; content:"|03 02 01 05|"; distance:3; content:"|03 02 01 0d|"; distance:1; target:src_ip; metadata:created_at 2025_02_21, updated_at 2025_03_29, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558, mitre_technique_name Steal_or_Forge_Kerberos_Tickets; sid:3321415; rev:4; classtype:credential-theft;)
Feb 21, 2025, 12:00 PM
Mar 29, 2025, 12:00 PM
Feb 25, 2025, 5:10 AM
May 29, 2025, 11:12 PM
rules/PAW-PATRULES_LATERAL_MOVEMENT.rules