Rules Contributing to Steal or Forge Kerberos Tickets Alert
The following rules are used to identify suspicious activity to steal or forge kerberos tickets. Any one or more of these will trigger the Steal or Forge Kerberos Tickets Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Register new Logon Process by Rubeus |
Detects potential use of Rubeus via registered new trusted logon process More details
Rule IDQuery{'selection': {'EventID': 4611, 'LogonProcessName': 'User32LogonProcesss'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,12e6d621-194f-4f59-90cc-1959e21e69f7 Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess' |
The 'LsaRegisterLogonProcess' function verifies that the application making the function call is a logon process by checking that it has the SeTcbPrivilege privilege set. Possible Rubeus tries to get a handle to LSA. More details
Rule IDQuery{'selection': {'EventID': 4673, 'Service': 'LsaRegisterLogonProcess()', 'Keywords': '0x8010000000000000'}, 'condition': 'selection'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,6daac7fc-77d1-449a-a71a-e6b4d59a0e54 Author: Roberto Rodriguez (source), Ilyas Ochkov (rule), oscd.community Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|
||||||||
Suspicious Kerberos RC4 Ticket Encryption |
Detects service ticket requests using RC4 encryption type More details
Rule IDQuery{'selection': {'EventID': 4769, 'TicketOptions': '0x40810000', 'TicketEncryptionType': '0x17'}, 'reduction': {'ServiceName|endswith': '$'}, 'condition': 'selection and not reduction'} Log SourceStellar Cyber Windows Server Sensor configured for:
Rule SourceSigmaHQ,496a0e47-0a33-4dca-b009-9e6ca3591f39 Author: Florian Roth (Nextron Systems) Tactics, Techniques, and ProceduresReferencesSeverity50 Suppression Logic Based On
Additional Information
|