2017-02-10 18:17:02 +00:00
|
|
|
title: Kerberos Manipulation
|
2019-11-12 22:12:27 +00:00
|
|
|
id: f7644214-0eb0-4ace-9455-331ec4c09253
|
2017-02-10 18:17:02 +00:00
|
|
|
description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
|
2017-02-18 23:31:59 +00:00
|
|
|
author: Florian Roth
|
2018-07-24 05:50:32 +00:00
|
|
|
tags:
|
|
|
|
- attack.credential_access
|
|
|
|
- attack.t1212
|
2017-02-18 23:31:59 +00:00
|
|
|
logsource:
|
2017-02-19 10:08:23 +00:00
|
|
|
product: windows
|
2017-03-05 22:55:52 +00:00
|
|
|
service: security
|
2017-02-10 18:17:02 +00:00
|
|
|
detection:
|
|
|
|
selection:
|
2017-02-15 22:53:08 +00:00
|
|
|
EventID:
|
|
|
|
- 675
|
|
|
|
- 4768
|
|
|
|
- 4769
|
|
|
|
- 4771
|
|
|
|
FailureCode:
|
|
|
|
- '0x9'
|
|
|
|
- '0xA'
|
|
|
|
- '0xB'
|
|
|
|
- '0xF'
|
|
|
|
- '0x10'
|
|
|
|
- '0x11'
|
|
|
|
- '0x13'
|
|
|
|
- '0x14'
|
|
|
|
- '0x1A'
|
|
|
|
- '0x1F'
|
|
|
|
- '0x21'
|
|
|
|
- '0x22'
|
|
|
|
- '0x23'
|
|
|
|
- '0x24'
|
|
|
|
- '0x26'
|
|
|
|
- '0x27'
|
|
|
|
- '0x28'
|
|
|
|
- '0x29'
|
|
|
|
- '0x2C'
|
|
|
|
- '0x2D'
|
|
|
|
- '0x2E'
|
|
|
|
- '0x2F'
|
|
|
|
- '0x31'
|
|
|
|
- '0x32'
|
|
|
|
- '0x3E'
|
|
|
|
- '0x3F'
|
|
|
|
- '0x40'
|
|
|
|
- '0x41'
|
|
|
|
- '0x43'
|
|
|
|
- '0x44'
|
2017-02-10 18:17:02 +00:00
|
|
|
condition: selection
|
|
|
|
falsepositives:
|
|
|
|
- Faulty legacy applications
|
2017-02-16 17:02:26 +00:00
|
|
|
level: high
|