/* Yara Rule Set Author: Florian Roth Date: 2016-05-21 Identifier: Kerberoast */ rule GetUserSPNs_VBS { meta: description = "Auto-generated rule - file GetUserSPNs.vbs" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/skelsec/PyKerberoast" date = "2016-05-21" hash1 = "8dcb568d475fd8a0557e70ca88a262b7c06d0f42835c855b52e059c0f5ce9237" id = "5576c1b9-4670-52c5-b23c-64adcc8709de" strings: $s1 = "Wscript.Echo \"User Logon: \" & oRecordset.Fields(\"samAccountName\")" fullword ascii $s2 = "Wscript.Echo \" USAGE: \" & WScript.ScriptName & \" SpnToFind [GC Servername or Forestname]\"" fullword ascii $s3 = "strADOQuery = \"<\" + strGCPath + \">;(&(!objectClass=computer)(servicePrincipalName=*));\" & _" fullword ascii condition: 2 of them } rule GetUserSPNs_PS1 { meta: description = "Auto-generated rule - file GetUserSPNs.ps1" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/skelsec/PyKerberoast" date = "2016-05-21" hash1 = "1b69206b8d93ac86fe364178011723f4b1544fff7eb1ea544ab8912c436ddc04" id = "a2fba75c-264f-5e89-afaf-9d19a4a90784" strings: $s1 = "$ForestInfo = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest()" fullword ascii $s2 = "@{Name=\"PasswordLastSet\"; Expression={[datetime]::fromFileTime($result.Properties[\"pwdlastset\"][0])} } #, `" fullword ascii $s3 = "Write-Host \"No Global Catalogs Found!\"" fullword ascii $s4 = "$searcher.PropertiesToLoad.Add(\"pwdlastset\") | Out-Null" fullword ascii condition: 2 of them } rule kerberoast_PY { meta: description = "Auto-generated rule - file kerberoast.py" license = "Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE" author = "Florian Roth (Nextron Systems)" reference = "https://github.com/skelsec/PyKerberoast" date = "2016-05-21" hash1 = "73155949b4344db2ae511ec8cab85da1ccbf2dfec3607fb9acdc281357cdf380" id = "cea6cdb2-cd1a-5701-a9d1-27c788a962a7" strings: $s1 = "newencserverticket = kerberos.encrypt(key, 2, encoder.encode(decserverticket), nonce)" fullword ascii $s2 = "key = kerberos.ntlmhash(args.password)" fullword ascii $s3 = "help='the password used to decrypt/encrypt the ticket')" fullword ascii $s4 = "newencserverticket = kerberos.encrypt(key, 2, e, nonce)" fullword ascii condition: 2 of them }