Replay Attack Detected

Oct 17, 2023 · attack.credential_access attack.t1558 ·

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

Sigma rule (View on GitHub)

 1title: Replay Attack Detected
 2id: 5a44727c-3b85-4713-8c44-4401d5499629
 3status: test
 4description: Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client
 5references:
 6    - https://github.com/Yamato-Security/EnableWindowsLogSettings/blob/7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def/ConfiguringSecurityLogAuditPolicies.md
 7    - https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4649
 8author: frack113
 9date: 2022/10/14
10tags:
11    - attack.credential_access
12    - attack.t1558
13logsource:
14    service: security
15    product: windows
16detection:
17    selection:
18        EventID: 4649
19    condition: selection
20falsepositives:
21    - Unknown
22level: high

References

EnableWindowsLogSettings/ConfiguringSecurityLogAuditPolicies.md at 7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def · Yamato-Security/EnableWindowsLogSettings

Documentation and scripts to properly enable Windows event logs. - Yamato-Security/EnableWindowsLogSettings

Read More
4649(S) A replay attack was detected. - Windows 10

Describes security event 4649(S) A replay attack was detected. This event is generated when a KRB_AP_ERR_REPEAT Kerberos response is sent to the client.

Read More

Replay Attack Detected

Sigma rule (View on GitHub)

References

EnableWindowsLogSettings/ConfiguringSecurityLogAuditPolicies.md at 7f6d755d45ac7cc9fc35b0cbf498e6aa4ef19def · Yamato-Security/EnableWindowsLogSettings

4649(S) A replay attack was detected. - Windows 10

Related rules