🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 - Possible Kerberoasting Attack 🥷 - T1558.003

SID: 3321265Rev: 122 views
Sourcepawpatrules
CreatedMay 19, 2024
UpdatedMay 19, 2024
Classificationattempted-recon
alert tcp any any -> $HOME_NET 88 (msg:"🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 - Possible Kerberoasting Attack 🥷 - T1558.003"; flow:to_server, stateless; content:"|30 82 05 a2 a1 03 02 01 05 a2 03 02 01 0c|"; content:"|30 82 04 ff a0 03 02 01 05 a1 03 02 01 0e a2 07 03 05 00 00 00 00 00|"; fast_pattern; content:"|6b 72 62 74 67 74|"; content:"|30 73 a0 03 02 01 17|"; content:"|40 81 00 10|"; content:"|30 29 a0 04 02 02 ff 80|"; reference:url,https://attack.mitre.org/techniques/T1558/003/; reference:url,https://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py; reference:url,https://medium.com/r3d-buck3t/attacking-service-accounts-with-kerberoasting-with-spns-de9894ca243f; metadata:created_at 2024_05_19, updated_at 2024_05_19, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_003, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_Kerberoasting; sid:3321265; rev:1; classtype:attempted-recon;)

References

urlhttps://attack.mitre.org/techniques/T1558/003/
urlhttps://github.com/fortra/impacket/blob/master/examples/GetUserSPNs.py
urlhttps://medium.com/r3d-buck3t/attacking-service-accounts-with-kerberoasting-with-spns-de9894ca243f

Metadata

created at2024_05_19
updated at2024_05_19
signature severityMajor
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1558_003
mitre technique nameSteal_or_Forge_Kerberos_Tickets_Kerberoasting

Comments (0)

Please sign in to leave a comment.
Sign in

No comments yet. Be the first to comment!