Windows vulnerable spn enumerated

windows

Classification:

attack

Tactic:

TA0006-credential-access

Technique:

T1558-steal-or-forge-kerberos-tickets

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detects when multiple Service Principle Names (SPN) are requested with weak encryption types. This could be evidence of a kerberoasting attack being conducted

Strategy

Monitoring of Windows event logs where @evt.id is 4769 and grouping by @Event.EventData.Data.TargetUserName.

Triage & Response

Verify if {{@Event.EventData.Data.TargetUserName}} is expected to request multiple SPN’s. If possible, disable usage of weak encryption types such as RC4 for kerberos tickets.