πΎ - π Suspicious Kerberos AS-Request to Active Directory πͺ - Possible AS-REP Roasting Attack or GET TGT from non Windows implementation π₯· - T1558.004
Sourcepawpatrules
CreatedMay 3, 2024
UpdatedApril 3, 2025
Classificationattempted-recon
alert tcp any any -> $HOME_NET 88 (msg:"πΎ - π Suspicious Kerberos AS-Request to Active Directory πͺ - Possible AS-REP Roasting Attack or GET TGT from non Windows implementation π₯· - T1558.004"; flow:to_server, stateless; flowbits:set,pptrls.suspkrbasrep; flowbits:isnotset,pptrls.suspkrbasrep; content:"|a0 07 03 05 00|"; content:"|80|"; distance:1; content:"|a1|"; distance:2; content:"|6b 72 62 74 67 74|"; fast_pattern; content:"|a2 03 02 01 0a|"; content:!"|a2 03 02 01 0c|"; content:!"|40 81 00|"; content:!"|50 81 00|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/GhostPack/Rubeus#asreproast; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py; reference:url,https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5; metadata:created_at 2024_05_03, updated_at 2025_04_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321254; rev:10; classtype:attempted-recon;)
References
Metadata
created at2024_05_03
updated at2025_04_03
signature severityMajor
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1558_004
mitre technique nameSteal_or_Forge_Kerberos_Tickets_AS-REP_Roasting
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!