mirror of
https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git
synced 2026-06-11 13:44:56 +03:00
mukul975
27c6414ca5
Complete skill folder anatomy across all cybersecurity skills: - scripts/agent.py: 80-150 line Python agents using real libraries (impacket, boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.) - references/api-reference.md: real API documentation with method signatures - LICENSE: MIT license for all skill folders
1.4 KiB
1.4 KiB
API Reference: Detecting Kerberoasting Attacks
python-evtx Library
from Evtx.Evtx import FileHeader
with open("Security.evtx", "rb") as f:
fh = FileHeader(f)
for record in fh.records():
xml_string = record.xml()
Event ID 4769 - Kerberos TGS Request
<EventData>
<Data Name="TargetUserName">svc_sql</Data>
<Data Name="ServiceName">MSSQLSvc/db01.corp.local:1433</Data>
<Data Name="TicketEncryptionType">0x17</Data>
<Data Name="TicketOptions">0x40810000</Data>
<Data Name="IpAddress">::ffff:10.0.0.50</Data>
<Data Name="Status">0x0</Data>
</EventData>
Encryption Type Values
| Hex | Type | Risk |
|---|---|---|
| 0x17 | RC4-HMAC | Kerberoasting indicator |
| 0x18 | RC4-HMAC-EXP | Kerberoasting indicator |
| 0x11 | AES128-CTS-HMAC-SHA1 | Normal |
| 0x12 | AES256-CTS-HMAC-SHA1 | Normal |
Detection Logic
- Filter Event 4769 where TicketEncryptionType = 0x17 (RC4)
- Exclude machine accounts (ServiceName ending in
$) - Exclude krbtgt service
- Alert on high-volume TGS from single source (>10 unique SPNs in 5 min)
- Correlate with Event 4624 for source attribution
Event ID 4624 - Logon Event (Correlation)
<Data Name="TargetUserName">attacker_user</Data>
<Data Name="LogonType">3</Data>
<Data Name="IpAddress">10.0.0.50</Data>
<Data Name="WorkstationName">WORKSTATION1</Data>
MITRE ATT&CK Mapping
- T1558.003 - Kerberoasting
- T1558 - Steal or Forge Kerberos Tickets