detection.wiki

Detection rules › Sigma

Kerberos Manipulation

Severity
high
Author
Florian Roth (Nextron Systems)
Source
upstream

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

MITRE ATT&CK coverage

TacticTechniques
Credential AccessT1212 Exploitation for Credential Access

Event coverage

ProviderEvent IDTitle
Security-Auditing675Pre-authentication failed (legacy Windows 2003 Kerberos event; superseded by 4771).
Security-Auditing4768A Kerberos authentication ticket (TGT) was requested.
Security-Auditing4769A Kerberos service ticket was requested.
Security-Auditing4771Kerberos pre-authentication failed.

Stages and Predicates

Stage 1: selection

Status: [0x10, 0x11, 0x13, 0x14, 0x1A, 0x1F, 0x21, 0x22, 0x23, 0x24, 0x26, 0x27, 0x28, 0x29, 0x2C, 0x2D, 0x2E, 0x2F, 0x31, 0x32, 0x3E, 0x3F, 0x40, 0x41, 0x43, 0x44, 0x9, 0xA, 0xB, 0xF]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
Statuseq
  • 0x10
  • 0x11
  • 0x13
  • 0x14
  • 0x1A
  • 0x1F
  • 0x21
  • 0x22
  • 0x23
  • 0x24
  • 0x26
  • 0x27
  • 0x28
  • 0x29
  • 0x2C
  • 0x2D
  • 0x2E
  • 0x2F
  • 0x31
  • 0x32
  • 0x3E
  • 0x3F
  • 0x40
  • 0x41
  • 0x43
  • 0x44
  • 0x9
  • 0xA
  • 0xB
  • 0xF

Neighbors

Often fire together

Rules that target events appearing in the same incident timelines. They pattern-match on adjacent steps of the same TTP, so an alert from one is often paired with alerts from these. Useful for triage context and for assembling chained-detection rules.