Navigation :

Kerberoasting Spn Request With RC4 Encryption

Description

This search detects a potential kerberoasting attack via service principal name requests

Content Mapping

This content is not mapped to any local saved search. Add mapping

Use Case

Security Monitoring

Alert Volume

This search detects a potential kerberoasting attack via service principal name requests

SPL Difficulty

None

Journey

Stage 1

MITRE ATT&CK Tactics

Credential Access

MITRE ATT&CK Techniques

Steal or Forge Kerberos Tickets

Kerberoasting

MITRE Threat Groups

Wizard Spider

Data Sources

Windows Security

Help
Kerberoasting Spn Request With RC4 Encryption Help You must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos

Help

Kerberoasting Spn Request With RC4 Encryption Help

You must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos

Search
`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 \| stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options \| `security_content_ctime(lastTime)` \| `security_content_ctime(firstTime)` \| `kerberoasting_spn_request_with_rc4_encryption_filter` Open in Search

Search

`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter`

Open in Search