Add rule of Kerberoasting and AS-REP Roasting #91 (#101)

* Feature/call error message struct#66 (#69) * change way to use write trait #66 * change call error message struct #66 * erase finished TODO #66 * erase comment in error message format test #66 * resolve conflict #66 * Feature/call error message struct#66 (#71) * change ERROR writeln struct #66 * add Kerberoasting & AS-REP Roasting Rule #91 * fix rule and add alias #91
2021-05-13 22:52:15 +09:00
parent e0b5434716
commit 99b640adaa
3 changed files with 39 additions and 1 deletions
--- a/config/eventkey_alias.txt
+++ b/config/eventkey_alias.txt
@@ -21,4 +21,6 @@ LogFileCleared,Event.UserData.LogFileCleared.SubjectUserName
 LogFileClearedSubjectUserName,Event.UserData.SubjectUserName
 SubjectUserName,Event.EventData.SubjectUserName
 SubjectUserSid,Event.EventData.SubjectUserSid
-DomainName,Event.EventData.SubjectDomainName
+DomainName,Event.EventData.SubjectDomainName
+TicketEncryptionType,Event.EventData.TicketEncryptionType
+PreAuthType,Event.EventData.PreAuthType
--- a/rules/kerberoast/as-rep-roasting.yml
+++ b/rules/kerberoast/as-rep-roasting.yml
@@ -0,0 +1,18 @@
+title: AS-REP Roasting
+description: For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4.
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17'
+        PreAuthType: 0
+falsepositives:
+    - unknown
+level: medium
+output: 'Detected AS-REP Roasting Risk Actvity.'
+creation_date: 2021/4/31
+updated_date: 2021/4/31
--- a/rules/kerberoast/kerberoasting.yml
+++ b/rules/kerberoast/kerberoasting.yml
@@ -0,0 +1,18 @@
+title: Kerberoasting
+description: Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.
+enabled: true
+author: Yea
+logsource: 
+    product: windows
+detection:
+    selection:
+        Channel: Security
+        EventID: 4768
+        TicketEncryptionType: '0x17'
+        PreAuthType: 2
+falsepositives:
+    - unknown
+level: medium
+output: 'Detected Kerberoasting Risk Activity.'
+creation_date: 2021/4/31
+updated_date: 2021/4/31