EXPLORE

← Back to Explore

T1558.003

Kerberoasting

Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to [Brute Force](https://attack.mitre.org/techniques/T1110).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least ...

Windows

31

Detections

4

Sources

3

Threat Actors

BY SOURCE

15sigma8splunk_escu7elastic1crowdstrike_cql

PROCEDURES (26)

Token2 detections

Auto-extracted: 2 detections for token

Encrypt2 detections

Auto-extracted: 2 detections for encrypt

Spray2 detections

Auto-extracted: 2 detections for spray

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Script Block2 detections

Auto-extracted: 2 detections for script block

Process Creation Monitoring1 detections

Auto-extracted: 1 detections for process creation monitoring

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Service1 detections

Auto-extracted: 1 detections for service

Dump1 detections

Auto-extracted: 1 detections for dump

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Lsass1 detections

Auto-extracted: 1 detections for lsass

Powershell1 detections

Auto-extracted: 1 detections for powershell

Dump1 detections

Auto-extracted: 1 detections for dump

Persist1 detections

Auto-extracted: 1 detections for persist

Service1 detections

Auto-extracted: 1 detections for service

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

Unusual1 detections

Auto-extracted: 1 detections for unusual

Lateral1 detections

Auto-extracted: 1 detections for lateral

Privilege1 detections

Auto-extracted: 1 detections for privilege

Privilege1 detections

Auto-extracted: 1 detections for privilege

Encrypt1 detections

Auto-extracted: 1 detections for encrypt

Unusual1 detections

Auto-extracted: 1 detections for unusual

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Lsass1 detections

Auto-extracted: 1 detections for lsass

Privilege1 detections

Auto-extracted: 1 detections for privilege

THREAT ACTORS (3)

FIN7 Indrik Spider Wizard Spider

DETECTIONS (31)

Credential Dumping Detection

crowdstrike_cql

HackTool - KrbRelay Execution

HackTool - KrbRelayUp Execution

HackTool - RemoteKrbRelay Execution

HackTool - Rubeus Execution

HackTool - Rubeus Execution - ScriptBlock

Kerberoasting Activity - Initial Query

Kerberoasting spn request with RC4 encryption

Kerberos Cached Credentials Dumping

Kerberos Network Traffic RC4 Ticket Encryption

Kerberos Traffic from Unusual Process

No Suitable Encryption Key Found For Generating Kerberos Ticket

Potential Kerberos Attack via Bifrost

Potential PowerShell HackTool Script by Function Names

Potential SPN Enumeration Via Setspn.EXE

PowerShell Kerberos Ticket Request

Register new Logon Process by Rubeus

Rubeus Command Line Parameters

ServicePrincipalNames Discovery with PowerShell

ServicePrincipalNames Discovery with SetSPN

Suspicious Kerberos Authentication Ticket Request

Suspicious Kerberos RC4 Ticket Encryption

Suspicious Kerberos Ticket Request via CLI

Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock

Uncommon Outbound Kerberos Connection - Security

Unusual Number of Kerberos Service Tickets Requested

User account exposed to Kerberoasting

User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

Windows PowerView Kerberos Service Ticket Request

Windows PowerView SPN Discovery

Windows Process With NetExec Command Line Parameters