valitydev/atomic-threat-coverage
14
0
Fork 0
mirror of https://github.com/valitydev/atomic-threat-coverage.git synced 2024-11-06 09:35:21 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
9b4b5e4ac6
atomic-threat-coverage/data_needed/DN_0078_4771_kerberos_pre_authentication_failed.yml
yugoslavskiy 69dbd5bd88 new dn and lp
2019-04-22 05:18:31 +02:00

66 lines
2.3 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

title: DN_0078_4771_kerberos_pre_authentication_failed
description: >
This event generates every time the Key Distribution Center fails
to issue a Kerberos Ticket Granting Ticket (TGT). This can occur
when a domain controller doesnt have a certificate installed for
smart card authentication (for example, with a "Domain Controller"
or "Domain Controller Authentication" template), the users password
has expired, or the wrong password was provided. This event
generates only on domain controllers
loggingpolicy:
- LP_0038_windows_audit_kerberos_authentication_service
references:
- https://github.com/MicrosoftDocs/windows-itpro-docs/blob/master/windows/security/threat-protection/auditing/event-4771.md
category: OS Logs
platform: Windows
type: Windows Log
channel: Security
provider: Microsoft-Windows-Security-Auditing
fields:
- EventID
- Computer
- Hostname # redundant
- TargetUserName
- TargetSid
- ServiceName
- TicketOptions
- Status
- PreAuthType
- IpAddress
- IpPort
- CertIssuerName
- CertSerialNumber
- CertThumbprint
sample: |
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2015-08-07T18:10:21.495462300Z" />
<EventRecordID>166708</EventRecordID>
<Correlation />
<Execution ProcessID="520" ThreadID="1084" />
<Channel>Security</Channel>
<Computer>DC01.contoso.local</Computer>
<Security />
</System>
- <EventData>
<Data Name="TargetUserName">dadmin</Data>
<Data Name="TargetSid">S-1-5-21-3457937927-2839227994-823803824-1104</Data>
<Data Name="ServiceName">krbtgt/CONTOSO.LOCAL</Data>
<Data Name="TicketOptions">0x40810010</Data>
<Data Name="Status">0x10</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.12</Data>
<Data Name="IpPort">49254</Data>
<Data Name="CertIssuerName" />
<Data Name="CertSerialNumber" />
<Data Name="CertThumbprint" />
</EventData>
</Event>
Reference in New Issue View Git Blame Copy Permalink