Tag

Kerberoasting

3 briefs RSS

PowerShell Kerberos Ticket Request via KerberosRequestorSecurityToken

This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.

Elastic Security kerberoasting credential_access windows

2r 1t Jan 9, 2024

medium threat

Kerberos Traffic from Unusual Process

2 rules 2 TTPs

Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.

Elastic Defend +22 kerberoasting credential-access lateral-movement windows

2r 2t Jan 3, 2024

medium advisory

User Account ServicePrincipalName Attribute Modified

2 rules 2 TTPs

Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.

Active Directory kerberoasting credential-access windows spn

2r 2t Jan 2, 2024