Rules Contributing to Steal or Forge Kerberos Tickets Alert

The following rules are used to identify suspicious activity to steal or forge kerberos tickets. Any one or more of these will trigger the Steal or Forge Kerberos Tickets Alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

Register new Logon Process by Rubeus

Detects potential use of Rubeus via registered new trusted logon process

Rule ID

windows_security_16

Query

{'selection': {'EventID': 4611, 'LogonProcessName': 'User32LogonProcesss'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,12e6d621-194f-4f59-90cc-1959e21e69f7

Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

Tactics, Techniques, and Procedures

T1558.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/10/24 high

  • Unknown

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA.

Rule ID

windows_security_116

Query

{'selection': {'EventID': 4673, 'Service': 'LsaRegisterLogonProcess()', 'Keywords': '0x8010000000000000'}, 'condition': 'selection'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,6daac7fc-77d1-449a-a71a-e6b4d59a0e54

Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community

Tactics, Techniques, and Procedures

T1558.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
test 2019/10/24 high

  • Unknown

Suspicious Kerberos RC4 Ticket Encryption

Detects service ticket requests using RC4 encryption type

Rule ID

win_susp_rc4_kerberos

Query

{'selection': {'EventID': 4769, 'TicketOptions': '0x40810000', 'TicketEncryptionType': '0x17'}, 'reduction': {'ServiceName|endswith': '$'}, 'condition': 'selection and not reduction'}

Log Source

Stellar Cyber Windows Server Sensor configured for:

  • Collecting Windows Security Events

Rule Source

SigmaHQ,496a0e47-0a33-4dca-b009-9e6ca3591f39

Author: Florian Roth (Nextron Systems)

Tactics, Techniques, and Procedures

T1558.003

References

N/A

Additional Information

Maturity Creation Date Risk Level False Positives
experimental 2017/02/06 medium

  • Service accounts used on legacy systems (e.g. NetApp)

  • Windows Domains with DFL 2003 and legacy systems