🌙

Subscribe to the Taegis™ XDR Documentation RSS Feed at .

Learn more about RSS readers or RSS browser extensions.

Kerberoasting Detector

detectors

The Kerberoasting Detector identifies a possible Kerberos Ticket Granting Service (TGS) Service Ticket (ST) attack where a threat actor gathers, extracts, and cracks account password hashes offline in order to recover plaintext passwords. Its main advantage is that it allows a regular user to obtain credentials to a service account that has domain admin privileges without interacting with the target system.

Kerberoasting Detector

Kerberoasting Detector

Requirements

This detector requires the following data sources, integrations, or schemas:

Inputs

Detections are from the following normalized sources:

Outputs

Alerts from this detector are pushed to the XDR Alert Database and Alert Triage Dashboard.

Configuration Options

This detector is enabled by default when the required data sources or integrations are available in the tenant.

MITRE ATT&CK Category

Detector Testing

This detector does not have a supported testing method, though an Advanced Search will verify if alerts originated with this detector.

Note

If no supported testing method is available, an Advanced Search will show you if any alerts came from this detector if a qualifying event was observed. A search with no results does not indicate the detector is not working. A lack of search results for the detector may only indicate that the specific attack has not been observed in the tenant. However, it could indicate the underlying data is not available. Ensure the required schemas are provided in Data Sources along with the supported device type(s) for that schema.

FROM alert WHERE metadata.creator.detector.detector_id='app:detect:kerberoasting-detector'

References

 

On this page: