Tag

Kerberoasting

4 briefs RSS

Windows AD ServicePrincipalName Added To Domain Account

This Splunk analytic detects the addition of a Service Principal Name (SPN) to a domain account by monitoring Windows Event Code 5136 and changes to the servicePrincipalName attribute, potentially indicating Kerberoasting attempts leading to unauthorized access.

Splunk Enterprise +2 kerberoasting active_directory spn persistence

2r 1t 3w ago

high advisory

PowerShell Kerberos Ticket Request via KerberosRequestorSecurityToken

2 rules 1 TTP

This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.

Elastic Security kerberoasting credential_access windows

2r 1t Jan 9, 2024

medium threat

Kerberos Traffic from Unusual Process

2 rules 2 TTPs

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Elastic Defend +22 kerberoasting credential-access lateral-movement windows

2r 2t Jan 3, 2024

medium advisory

User Account ServicePrincipalName Attribute Modified

2 rules 2 TTPs

Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.

Active Directory kerberoasting credential-access windows spn

2r 2t Jan 2, 2024