Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Sigma rule (View on GitHub)
1title: Kerberos Manipulation
2id: f7644214-0eb0-4ace-9455-331ec4c09253
3status: test
4description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
5references:
6 - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
7author: Florian Roth (Nextron Systems)
8date: 2017-02-10
9modified: 2024-01-16
10tags:
11 - attack.credential-access
12 - attack.t1212
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID:
19 - 675
20 - 4768
21 - 4769
22 - 4771
23 Status:
24 - '0x9'
25 - '0xA'
26 - '0xB'
27 - '0xF'
28 - '0x10'
29 - '0x11'
30 - '0x13'
31 - '0x14'
32 - '0x1A'
33 - '0x1F'
34 - '0x21'
35 - '0x22'
36 - '0x23'
37 - '0x24'
38 - '0x26'
39 - '0x27'
40 - '0x28'
41 - '0x29'
42 - '0x2C'
43 - '0x2D'
44 - '0x2E'
45 - '0x2F'
46 - '0x31'
47 - '0x32'
48 - '0x3E'
49 - '0x3F'
50 - '0x40'
51 - '0x41'
52 - '0x43'
53 - '0x44'
54 condition: selection
55falsepositives:
56 - Faulty legacy applications
57level: high
References
Related rules
- Audit CVE Event
- Guacamole Two Users Sharing Session Anomaly
- Suspicious NTLM Authentication on the Printer Spooler Service
- AADInternals PowerShell Cmdlets Execution - ProccessCreation
- AADInternals PowerShell Cmdlets Execution - PsScript