πΎ - π LDAP search request Kerberoastable users on Active Directory πͺ - Possible 1st step of Kerberoasting Attack via Impacket π₯· - T1558.003
Sourcepawpatrules
CreatedMay 19, 2024
UpdatedApril 2, 2025
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 389 (msg:"πΎ - π LDAP search request Kerberoastable users on Active Directory πͺ - Possible 1st step of Kerberoasting Attack via Impacket π₯· - T1558.003"; flow:to_server, stateless; content:"|a3 18 04 0e 6f 62 6a 65 63 74 43 61 74 65 67 6f 72 79 04 06 70 65 72 73 6f 6e|"; content:"|87 14 73 65 72 76 69 63 65 50 72 69 6e 63 69 70 61 6c 4e 61 6d 65|"; content:"|a2 31 a9 2f 81 16 31 2e 32 2e 38 34 30 2e 31 31 33 35 35 36 2e 31 2e 34 2e 38 30 33 82 12 75 73 65 72 41 63 63 6f 75 6e 74 43 6f 6e 74 72 6f 6c 83 01 32|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1558/003/; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py; reference:url,https://medium.com/r3d-buck3t/attacking-service-accounts-with-kerberoasting-with-spns-de9894ca243f; metadata:created_at 2024_05_19, updated_at 2025_04_02, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_003, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_Kerberoasting; sid:3321264; rev:2; classtype:attempted-recon;)
References
Metadata
created at2024_05_19
updated at2025_04_02
signature severityMajor
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1558_003
mitre technique nameSteal_or_Forge_Kerberos_Tickets_Kerberoasting
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!