API

Windows vulnerable spn enumerated

Documentos > Datadog Security > OOTB Rules > Windows vulnerable spn enumerated

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1558-steal-or-forge-kerberos-tickets

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detects when multiple Service Principle Names (SPN) are requested with weak encryption types. This could be evidence of a kerberoasting attack being conducted

Strategy

Monitoring of Windows event logs where @evt.id is 4769 and grouping by @Event.EventData.Data.TargetUserName.

Triage & Response

Verify if {{@Event.EventData.Data.TargetUserName}} is expected to request multiple SPN’s. If possible, disable usage of weak encryption types such as RC4 for kerberos tickets.