← Back to Explore
sigmahighHunting
Kerberos Manipulation
Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
Detection Query
selection:
EventID:
- 675
- 4768
- 4769
- 4771
Status:
- "0x9"
- "0xA"
- "0xB"
- "0xF"
- "0x10"
- "0x11"
- "0x13"
- "0x14"
- "0x1A"
- "0x1F"
- "0x21"
- "0x22"
- "0x23"
- "0x24"
- "0x26"
- "0x27"
- "0x28"
- "0x29"
- "0x2C"
- "0x2D"
- "0x2E"
- "0x2F"
- "0x31"
- "0x32"
- "0x3E"
- "0x3F"
- "0x40"
- "0x41"
- "0x43"
- "0x44"
condition: selection
Author
Florian Roth (Nextron Systems)
Created
2017-02-10
Data Sources
windowssecurity
Platforms
windows
Tags
attack.credential-accessattack.t1212
Raw Content
title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
status: test
description: Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.
references:
- https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4771
author: Florian Roth (Nextron Systems)
date: 2017-02-10
modified: 2024-01-16
tags:
- attack.credential-access
- attack.t1212
logsource:
product: windows
service: security
detection:
selection:
EventID:
- 675
- 4768
- 4769
- 4771
Status:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
condition: selection
falsepositives:
- Faulty legacy applications
level: high