🐾 - 🔔 Suspicious Kerberos AS-Request to Active Directory 🪟 - Possible AS-REP Roasting Attack or GET TGT via Impacket 🥷 - T1558.004 - Suricata Rule 3321255 (pawpatrules)

🐾 - 🔔 Suspicious Kerberos AS-Request to Active Directory 🪟 - Possible AS-REP Roasting Attack or GET TGT via Impacket 🥷 - T1558.004

SID: 3321255Rev: 441 viewsHistory

Sourcepawpatrules

CreatedMay 3, 2024

UpdatedApril 3, 2025

Classificationattempted-recon

alert tcp any any -> $HOME_NET 88 (msg:"🐾 - 🔔 Suspicious Kerberos AS-Request to Active Directory 🪟 - Possible AS-REP Roasting Attack or GET TGT via Impacket 🥷 - T1558.004"; flow:to_server, stateless; content:"|a0 07 03 05 00 50 80 00 00 a1|"; content:"|6b 72 62 74 67 74|"; fast_pattern; content:"|a2 03 02 01 0a|"; content:!"|a2 03 02 01 0c|"; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py; reference:url,https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5; metadata:created_at 2024_05_03, updated_at 2025_04_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321255; rev:4; classtype:attempted-recon;)

References

url	https://attack.mitre.org/techniques/T1558/004/
url	https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py
url	https://medium.com/r3d-buck3t/kerberos-attacks-as-rep-roasting-2549fd757b5

Metadata

created at2024_05_03

updated at2025_04_03

signature severityMajor

attack targetServer_Endpoint

affected productWindows_Server_32_64_Bit

mitre tactic idTA0006

mitre tactic nameCredential_Access

mitre technique idT1558_004

mitre technique nameSteal_or_Forge_Kerberos_Tickets_AS-REP_Roasting

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!