Detects Kerberoasting attacks by monitoring anomalous Kerberos TGS requests to SPN service accounts. Useful for threat hunting, incident response, and security assessments using EDR/SIEM tools.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- 主动狩猎环境中 Kerberoasting 攻击指标时
Detects Kerberoasting attacks via anomalous Kerberos TGS requests to SPN service accounts in EDR/SIEM logs. Guides threat hunting, analysis, and response workflows.
Detects Kerberoasting attacks by monitoring anomalous Kerberos TGS requests targeting service accounts with SPNs in EDR and SIEM logs. Useful for threat hunting and incident response.
Executes Kerberoasting attacks with Impacket's GetUserSPNs.py to request, extract, and offline-crack Kerberos TGS tickets from Active Directory service accounts. For red-teaming Active Directory environments.
Share bugs, ideas, or general feedback.
| 概念 | 描述 |
|---|---|
| T1558.003 | Kerberoasting |
| T1558.004 | AS-REP Roasting |
| T1558.001 | 黄金票据(Golden Ticket) |
| 工具 | 用途 |
|---|---|
| CrowdStrike Falcon | EDR 遥测和威胁检测 |
| Microsoft Defender for Endpoint | 使用 KQL 进行高级狩猎 |
| Splunk Enterprise | 使用 SPL 查询进行 SIEM 日志分析 |
| Elastic Security | 检测规则和调查时间线 |
| Sysmon | 详细的 Windows 事件监控 |
| Velociraptor | 终端工件收集和狩猎 |
| Sigma Rules | 跨平台检测规则格式 |
Hunt ID: TH-DETECT-[DATE]-[SEQ]
Technique: T1558.003
Host: [主机名]
User: [账户上下文]
Evidence: [日志条目、进程树、网络数据]
Risk Level: [Critical/High/Medium/Low]
Confidence: [High/Medium/Low]
Recommended Action: [遏制、调查、监控]