From 90651e37c290283a5d016950bd72f477f5f9851f Mon Sep 17 00:00:00 2001
From: keyboardcrunch <REDACTED>
Date: Wed, 17 Mar 2021 20:21:25 -0500
Subject: [PATCH] Add detection for kerberoasting

---
 queries/windows/kerberoasting.yml | 15 +++++++++++++++
 1 file changed, 15 insertions(+)
 create mode 100644 queries/windows/kerberoasting.yml

diff --git a/queries/windows/kerberoasting.yml b/queries/windows/kerberoasting.yml
new file mode 100644
index 0000000..12c996d
--- /dev/null
+++ b/queries/windows/kerberoasting.yml
@@ -0,0 +1,15 @@
+title: Kerberoasting
+description: Detects Kerberoasting through generic IndicatorName, excluding ManySPNRequests due to high FP.
+author: keyboardcrunch
+date: 17/03/2021
+modified: null
+mitre: 
+   tactic: Credential Access
+   technique: T1558
+   subtechnique: 003
+operating_system: linux
+query: IndicatorName StartsWith "Kerberoasting"
+false_positives: null
+tags: null
+references:
+   - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.003/T1558.003.md
\ No newline at end of file