Scribd Logo
Upload

Welcome to Scribd!

  • 26 views

    AD Attacks Detection

    Uploaded by

    GauravRaj

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    AD Attacks Detection

    Uploaded by

    GauravRaj
    26 views4 pages

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    26 views4 pages

    AD Attacks Detection

    Uploaded by

    GauravRaj

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as docx, pdf, or txt
    of 4

    Kerberoasting Detection:

    Kerberoasting is one of the Kerberos attacks that requests a service ticket for highly
    privileged service and crack NT hash. For mitigation of this attack, we have 2 ways; long and
    complex service account passwords or managed service accounts.

    For monitoring and detection of Kerberos activity in our environment we can use this Splunk
    rule:

    EventID="4769" TicketEncryptionType=0x17 NOT user="*$*"


    | eventstats dc(ServiceName) AS SpecialService by user | eventstats
    count(ServiceName) AS TicketReq | eventstats values count(ServiceName)
    AS KerberoasReq 
    | dedup user
    | where SpecialService > 10
    | table user,SpecialService,TicketReq,KerberoasReq

    No detection for Kerberoasting was observed for the past 60 days using Splunk Event Search.

    Event ID 4769 will be logged many, many times in the domain since after initial logon (and Kerberos
    TGT ticket request), users request Kerberos TGS service tickets to access the may services on the
    network (file shares, SQL, SharePoint, etc). Expect there will be around 10 to 20 Kerberos TGS
    requests per user every day. The 4769 event on Domain Controllers is one of the most numerous in
    any environment which is why it’s often not logged.
    Detection is a lot tougher since requesting service tickets (Kerberos TGS tickets) happens all the time
    when users need to access resources.
    Looking for TGS-REQ packets with RC4 encryption is probably the best method, though false
    positives are likely.

    Monitoring for numerous Kerberos service ticket requests in Active Directory is possible by enabling
    Kerberos service ticket request monitoring (“Audit Kerberos Service Ticket Operations”)
    and  searching for users with excessive 4769 events  (Event Id  4769  “A Kerberos service ticket was
    requested”).
    Here’s a 4769 event that may potentially be from Kerberoasting activity:

    Error Code Description:


    The best mitigation for a Kerberoasting attack is to ensure service accounts that use Kerberos with
    SPN values leverage long and complex passwords. If possible, rotate those passwords regularly.

    You might also like