🐾 - 🔔 LDAP search request AS-REP Roastable users on Active Directory 🪟 - Possible AS-REP Roasting Attack via Rubeus 🥷 - T1558.004
Sourcepawpatrules
CreatedMay 3, 2024
UpdatedApril 3, 2025
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 389 (msg:"🐾 - 🔔 LDAP search request AS-REP Roastable users on Active Directory 🪟 - Possible AS-REP Roasting Attack via Rubeus 🥷 - T1558.004"; flow:to_server, stateless; content:"|a3 84 00 00 00 1b 04 0e 73 61 6d 41 63 63 6f 75 6e 74 54 79 70 65 04 09 38 30 35 33 30 36 33 36 38|"; content:"|a9 84 00 00 00 38 81 16 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e 31 2e 34 2e 38 30 33 82 12 75 73 65 72 41 63 63 6f 75 6e 74 43 6f 6e 74 72 6f 6c 83 07 34 31 39 34 33 30 34 84 01 00|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1558/004/; reference:url,https://github.com/GhostPack/Rubeus#asreproast; reference:url,https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/as-rep-roasting-using-rubeus-and-hashcat; metadata:created_at 2024_05_04, updated_at 2025_04_03, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_AS-REP_Roasting; sid:3321259; rev:4; classtype:attempted-recon;)
References
Metadata
created at2024_05_04
updated at2025_04_03
signature severityMajor
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1558_004
mitre technique nameSteal_or_Forge_Kerberos_Tickets_AS-REP_Roasting
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!