πΎ - π LDAP search request Kerberoastable users on Active Directory πͺ - Possible 1st step of Kerberoasting Attack via Rubeus π₯· - T1558.003
Sourcepawpatrules
CreatedApril 2, 2025
UpdatedApril 2, 2025
Classificationattempted-recon
alert tcp-pkt any any -> $HOME_NET 389 (msg:"πΎ - π LDAP search request Kerberoastable users on Active Directory πͺ - Possible 1st step of Kerberoasting Attack via Rubeus π₯· - T1558.003"; flow:to_server, stateless; content:"|a3 84 00 00 00 1b 04 0e 73 61 6d 41 63 63 6f 75 6e 74 54 79 70 65 04 09 38 30 35 33 30 36 33 36 38|"; content:"|87 14 73 65 72 76 69 63 65 50 72 69 6e 63 69 70 61 6c 4e 61 6d 65|"; content:"|a2 84 00 00 00 1e a3 84 00 00 00 18 04 0e 73 61 6d 41 63 63 6f 75 6e 74 4e 61 6d 65 04 06 6b 72 62 74 67 74|"; fast_pattern; reference:url,https://attack.mitre.org/techniques/T1558/003/; reference:url,https://github.com/GhostPack/Rubeus?tab=readme-ov-file#kerberoast; reference:url,https://medium.com/r3d-buck3t/attacking-service-accounts-with-kerberoasting-with-spns-de9894ca243f; metadata:created_at 2025_04_02, updated_at 2025_04_02, signature_severity Major, attack_target Server_Endpoint, affected_product Windows_Server_32_64_Bit, mitre_tactic_id TA0006, mitre_tactic_name Credential_Access, mitre_technique_id T1558_003, mitre_technique_name Steal_or_Forge_Kerberos_Tickets_Kerberoasting; sid:3321441; rev:1; classtype:attempted-recon;)
References
Metadata
created at2025_04_02
updated at2025_04_02
signature severityMajor
attack targetServer_Endpoint
affected productWindows_Server_32_64_Bit
mitre tactic idTA0006
mitre tactic nameCredential_Access
mitre technique idT1558_003
mitre technique nameSteal_or_Forge_Kerberos_Tickets_Kerberoasting
Comments (0)
Please sign in to leave a comment.
Sign inNo comments yet. Be the first to comment!