mirror of
https://github.com/valitydev/atomic-threat-coverage.git
synced 2024-11-06 17:45:23 +00:00
52 lines
1.0 KiB
YAML
Executable File
52 lines
1.0 KiB
YAML
Executable File
title: Kerberos Manipulation
|
|
description: This method triggers on rare Kerberos Failure Codes caused by manipulations of Kerberos messages
|
|
author: Florian Roth
|
|
tags:
|
|
- attack.credential_access
|
|
- attack.t1212
|
|
logsource:
|
|
product: windows
|
|
service: security
|
|
detection:
|
|
selection:
|
|
EventID:
|
|
- 675
|
|
- 4768
|
|
- 4769
|
|
- 4771
|
|
FailureCode:
|
|
- '0x9'
|
|
- '0xA'
|
|
- '0xB'
|
|
- '0xF'
|
|
- '0x10'
|
|
- '0x11'
|
|
- '0x13'
|
|
- '0x14'
|
|
- '0x1A'
|
|
- '0x1F'
|
|
- '0x21'
|
|
- '0x22'
|
|
- '0x23'
|
|
- '0x24'
|
|
- '0x26'
|
|
- '0x27'
|
|
- '0x28'
|
|
- '0x29'
|
|
- '0x2C'
|
|
- '0x2D'
|
|
- '0x2E'
|
|
- '0x2F'
|
|
- '0x31'
|
|
- '0x32'
|
|
- '0x3E'
|
|
- '0x3F'
|
|
- '0x40'
|
|
- '0x41'
|
|
- '0x43'
|
|
- '0x44'
|
|
condition: selection
|
|
falsepositives:
|
|
- Faulty legacy applications
|
|
level: high
|