From f68af2a5da2f34f8cdc6f572b6fff4bc743cd9cd Mon Sep 17 00:00:00 2001
From: Thomas Patzke <thomas@patzke.org>
Date: Sun, 25 Mar 2018 23:18:22 +0200
Subject: [PATCH] Added reference to Kerberos RC4 rule

---
 rules/windows/builtin/win_susp_rc4_kerberos.yml | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/rules/windows/builtin/win_susp_rc4_kerberos.yml b/rules/windows/builtin/win_susp_rc4_kerberos.yml
index 0e355b2fc..0626fe39a 100644
--- a/rules/windows/builtin/win_susp_rc4_kerberos.yml
+++ b/rules/windows/builtin/win_susp_rc4_kerberos.yml
@@ -2,7 +2,8 @@ title: Suspicious Kerberos RC4 Ticket Encryption
 status: experimental
 references:
     - https://adsecurity.org/?p=3458
-description: Detects logons using RC4 encryption type
+    - https://www.trimarcsecurity.com/single-post/TrimarcResearch/Detecting-Kerberoasting-Activity
+description: Detects service ticket requests using RC4 encryption type
 logsource:
     product: windows
     service: security