🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 for CIFS service - Possible TGS requested from Rubeus 🥷 - T1558 - Suricata Rule 3321438 (pawpatrules)

🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 for CIFS service - Possible TGS requested from Rubeus 🥷 - T1558

SID: 3321438Rev: 652 viewsHistory

Sourcepawpatrules

CreatedMarch 29, 2025

UpdatedMarch 30, 2025

Classificationcredential-theft

alert tcp any any -> $HOME_NET 88 (msg:"🐾 - 🔔 Suspicious Kerberos TGS-Request to Active Directory 🪟 for CIFS service - Possible TGS requested from Rubeus 🥷 - T1558"; flow:to_server, stateless; flowbits:set,pptrls.suspkrbtgsrep; flowbits:isnotset,pptrls.suspkrbtgsrep; content:"|30 82|"; content:"|03 02 01 05|"; distance:2; content:"|03 02 01 0c|"; distance:1; target:dest_ip; content:"|6b 72 62 74 67 74|"; content:"|a0 07 03 05 00 40 80 00 10|"; fast_pattern; content:"|63 69 66 73|"; content:!"|ff 79|"; reference:url,https://attack.mitre.org/techniques/T1558/; reference:url,https://github.com/GhostPack/Rubeus?tab=readme-ov-file#asktgs; metadata:created_at 2025_03_29, updated_at 2025_03_30, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_004, mitre_technique_name Steal_or_Forge_Kerberos_Tickets; sid:3321438; rev:6; classtype:credential-theft;)

References

url	https://attack.mitre.org/techniques/T1558/
url	https://github.com/GhostPack/Rubeus?tab=readme-ov-file#asktgs

Metadata

created at2025_03_29

updated at2025_03_30

signature severityMajor

attack targetServer_Endpoint

affected productWindows_Server_32_64_Bit

mitre tactic idTA0006

mitre tactic nameCredential_Access

mitre technique idT1558_004

mitre technique nameSteal_or_Forge_Kerberos_Tickets

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!