SigmaHQ/rules/windows/builtin/win_susp_kerberos_manipulation.yml

53 lines
1.1 KiB
YAML
Raw Normal View History

2017-02-10 18:17:02 +00:00
title: Kerberos Manipulation
2019-11-12 22:12:27 +00:00
id: f7644214-0eb0-4ace-9455-331ec4c09253
2017-02-10 18:17:02 +00:00
description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
author: Florian Roth
2018-07-24 05:50:32 +00:00
tags:
- attack.credential_access
- attack.t1212
logsource:
2017-02-19 10:08:23 +00:00
product: windows
service: security
2017-02-10 18:17:02 +00:00
detection:
selection:
EventID:
- 675
- 4768
- 4769
- 4771
FailureCode:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
2017-02-10 18:17:02 +00:00
condition: selection
falsepositives:
- Faulty legacy applications
2017-02-16 17:02:26 +00:00
level: high