detection.wiki

Detection rules › Sigma

Replay Attack Detected

Severity
high
Author
frack113
Source
upstream

Detects possible Kerberos Replay Attack on the domain controllers when "KRB_AP_ERR_REPEAT" Kerberos response is sent to the client

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1558 Steal or Forge Kerberos Tickets

Event coverage

ProviderEvent IDTitle
Security-Auditing4649A replay attack was detected.

Stages and Predicates

Stage 1: selection