Kerberos Manipulation

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

Sigma rule (View on GitHub)

 1title: Kerberos Manipulation
 2id: f7644214-0eb0-4ace-9455-331ec4c09253
 3status: test
 4description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
 5references:
 6    - https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
 7author: Florian Roth (Nextron Systems)
 8date: 2017-02-10
 9modified: 2024-01-16
10tags:
11    - attack.credential-access
12    - attack.t1212
13logsource:
14    product: windows
15    service: security
16detection:
17    selection:
18        EventID:
19            - 675
20            - 4768
21            - 4769
22            - 4771
23        Status:
24            - '0x9'
25            - '0xA'
26            - '0xB'
27            - '0xF'
28            - '0x10'
29            - '0x11'
30            - '0x13'
31            - '0x14'
32            - '0x1A'
33            - '0x1F'
34            - '0x21'
35            - '0x22'
36            - '0x23'
37            - '0x24'
38            - '0x26'
39            - '0x27'
40            - '0x28'
41            - '0x29'
42            - '0x2C'
43            - '0x2D'
44            - '0x2E'
45            - '0x2F'
46            - '0x31'
47            - '0x32'
48            - '0x3E'
49            - '0x3F'
50            - '0x40'
51            - '0x41'
52            - '0x43'
53            - '0x44'
54    condition: selection
55falsepositives:
56    - Faulty legacy applications
57level: high

References

Related rules

to-top