Skip to content

Hide Navigation Hide TOC

Kerberoasting Activity - Initial Query (d04ae2b8-ad54-4de0-bd87-4bc1da66aa59)

This rule will collect the data needed to start looking into possible kerberoasting activity. Further analysis or computation within the query is needed focusing on requests from one specific host/IP towards multiple service names within a time period of 5 seconds. You can then set a threshold for the number of requests and time between the requests to turn this into an alert.

Cluster A Galaxy A Cluster B Galaxy B Level
Kerberoasting Activity - Initial Query (d04ae2b8-ad54-4de0-bd87-4bc1da66aa59) Sigma-Rules Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2