[New Rule] PowerShell Kerberos Ticket Request (#1715)
* PowerShell Kerberos Ticket Request Initial Rule * bump date
This commit is contained in:
Jonhnathan
@@ -0,0 +1,76 @@
|
||||
[metadata]
|
||||
creation_date = "2021/01/24"
|
||||
maturity = "production"
|
||||
updated_date = "2021/01/24"
|
||||
|
||||
[rule]
|
||||
author = ["Elastic"]
|
||||
description = """
|
||||
Detects PowerShell scripts that have the capability of requesting kerberos tickets, which is common step in
|
||||
Kerberoasting toolkits to crack service accounts.
|
||||
"""
|
||||
from = "now-9m"
|
||||
index = ["winlogbeat-*", "logs-windows.*"]
|
||||
language = "kuery"
|
||||
license = "Elastic License v2"
|
||||
name = "PowerShell Kerberos Ticket Request"
|
||||
references = [
|
||||
"https://cobalt.io/blog/kerberoast-attack-techniques",
|
||||
"https://github.com/EmpireProject/Empire/blob/master/data/module_source/credentials/Invoke-Kerberoast.ps1",
|
||||
]
|
||||
risk_score = 47
|
||||
rule_id = "eb610e70-f9e6-4949-82b9-f1c5bcd37c39"
|
||||
severity = "medium"
|
||||
tags = ["Elastic", "Host", "Windows", "Threat Detection", "Credential Access"]
|
||||
timestamp_override = "event.ingested"
|
||||
type = "query"
|
||||
|
||||
query = '''
|
||||
event.category:process and
|
||||
powershell.file.script_block_text : (
|
||||
KerberosRequestorSecurityToken
|
||||
)
|
||||
'''
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1003"
|
||||
name = "OS Credential Dumping"
|
||||
reference = "https://attack.mitre.org/techniques/T1003/"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1558"
|
||||
name = "Steal or Forge Kerberos Tickets"
|
||||
reference = "https://attack.mitre.org/techniques/T1558/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1558.003"
|
||||
name = "Kerberoasting"
|
||||
reference = "https://attack.mitre.org/techniques/T1558/003/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0006"
|
||||
name = "Credential Access"
|
||||
reference = "https://attack.mitre.org/tactics/TA0006/"
|
||||
|
||||
|
||||
[[rule.threat]]
|
||||
framework = "MITRE ATT&CK"
|
||||
|
||||
[[rule.threat.technique]]
|
||||
id = "T1059"
|
||||
name = "Command and Scripting Interpreter"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/"
|
||||
|
||||
[[rule.threat.technique.subtechnique]]
|
||||
id = "T1059.001"
|
||||
name = "PowerShell"
|
||||
reference = "https://attack.mitre.org/techniques/T1059/001/"
|
||||
|
||||
[rule.threat.tactic]
|
||||
id = "TA0002"
|
||||
name = "Execution"
|
||||
reference = "https://attack.mitre.org/tactics/TA0002/"
|
||||
Reference in New Issue
Block a user