ET INFO High Number of Kerberos TGS Requests - Possible Kerberoasting (TCP) - Suricata Rule 2059253 (et/open)

ET INFO High Number of Kerberos TGS Requests - Possible Kerberoasting (TCP)

SID: 2059253Rev: 179 views

Sourceet/open

CreatedJanuary 14, 2025

UpdatedJanuary 14, 2025

Classificationmisc-activity

alert tcp any any -> $HOME_NET 88 (msg:"ET INFO High Number of Kerberos TGS Requests - Possible Kerberoasting (TCP)"; flow:established,to_server; content:"|03 02 01 05 a2 03 02 01|"; fast_pattern; pcre:"/^\x0a|\0xb/R"; content:"krbtgt"; distance:0; threshold:type both,track by_src,count 10, seconds 20; reference:url,datatracker.ietf.org/doc/html/rfc4120; classtype:misc-activity; sid:2059253; rev:1; metadata:attack_target Client_Endpoint, tls_state plaintext, created_at 2025_01_14, deployment Perimeter, confidence Medium, signature_severity Informational, updated_at 2025_01_14;)

References

url	datatracker.ietf.org/doc/html/rfc4120

Metadata

attack targetClient_Endpoint

tls stateplaintext

created at2025_01_14

deploymentPerimeter

confidenceMedium

signature severityInformational

updated at2025_01_14

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!