Navigation :
Kerberoasting Spn Request With RC4 Encryption
Description
This search detects a potential kerberoasting attack via service principal name requests
Content Mapping
This content is not mapped to any local saved search. Add mapping
Use Case
Security Monitoring
Category
Adversary Tactics
Alert Volume
This search detects a potential kerberoasting attack via service principal name requests
SPL Difficulty
None
Journey
Stage 1
MITRE ATT&CK Tactics
Credential Access
MITRE ATT&CK Techniques
Steal or Forge Kerberos Tickets
Kerberoasting
MITRE Threat Groups
Wizard Spider
Data Sources
Windows Security
Help |
---|
Kerberoasting Spn Request With RC4 Encryption HelpYou must be ingesting endpoint data that tracks process activity, and include the windows security event logs that contain kerberos |
Search |
---|
`wineventlog_security` EventCode=4769 Ticket_Options=0x40810000 Ticket_Encryption_Type=0x17 | stats count min(_time) as firstTime max(_time) as lastTime by dest, service, service_id, Ticket_Encryption_Type, Ticket_Options | `security_content_ctime(lastTime)` | `security_content_ctime(firstTime)` | `kerberoasting_spn_request_with_rc4_encryption_filter` Open in Search |