--- /dev/null
+Test krb5 ticket encryption feature
+
+Pcap from https://www.ired.team/offensive-security-experiments/active-directory-kerberos-abuse/t1208-kerberoasting
--- /dev/null
+alert krb5 any any -> any any (krb5.ticket_encryption: weak; sid:1;)
+alert krb5 any any -> any any (krb5.ticket_encryption: 23; sid:2;)
+alert krb5 any any -> any any (krb5.ticket_encryption: rc4-hmac; sid:3;)
--- /dev/null
+requires:
+ min-version: 7
+
+args:
+ - -k none
+
+checks:
+ - filter:
+ count: 0
+ match:
+ event_type: anomaly
+ - filter:
+ count: 1
+ match:
+ event_type: krb5
+ krb5.msg_type: KRB_TGS_REP
+ krb5.ticket_encryption: rc4-hmac
+ krb5.ticket_weak_encryption: true
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 1
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 2
+ - filter:
+ count: 1
+ match:
+ event_type: alert
+ alert.signature_id: 3