- title: Kerberos Manipulation
id: f7644214-0eb0-4ace-9455-331ec4c09253
description: This method triggers on rare Kerberos Failure Codes caused by manipulations
of Kerberos messages
author: Florian Roth
tags:
- attack.credential_access
- attack.t1212
logsource:
product: windows
service: security
category: null
detection:
selection:
EventID:
- 675
- 4768
- 4769
- 4771
FailureCode:
- '0x9'
- '0xA'
- '0xB'
- '0xF'
- '0x10'
- '0x11'
- '0x13'
- '0x14'
- '0x1A'
- '0x1F'
- '0x21'
- '0x22'
- '0x23'
- '0x24'
- '0x26'
- '0x27'
- '0x28'
- '0x29'
- '0x2C'
- '0x2D'
- '0x2E'
- '0x2F'
- '0x31'
- '0x32'
- '0x3E'
- '0x3F'
- '0x40'
- '0x41'
- '0x43'
- '0x44'
condition: selection
falsepositives:
- Faulty legacy applications
level: high
In [ ]:
from elasticsearch import Elasticsearch
from elasticsearch_dsl import Search
import pandas as pd
In [ ]:
es = Elasticsearch(['http://helk-elasticsearch:9200'])
searchContext = Search(using=es, index='logs-endpoint-winevent-security-*', doc_type='doc')
In [ ]:
s = searchContext.query('query_string', query='(event_id:("675" OR "4768" OR "4769" OR "4771") AND ticket_failure_code:("0x9" OR "0xA" OR "0xB" OR "0xF" OR "0x10" OR "0x11" OR "0x13" OR "0x14" OR "0x1A" OR "0x1F" OR "0x21" OR "0x22" OR "0x23" OR "0x24" OR "0x26" OR "0x27" OR "0x28" OR "0x29" OR "0x2C" OR "0x2D" OR "0x2E" OR "0x2F" OR "0x31" OR "0x32" OR "0x3E" OR "0x3F" OR "0x40" OR "0x41" OR "0x43" OR "0x44"))')
response = s.execute()
if response.success():
df = pd.DataFrame((d.to_dict() for d in s.scan()))
In [ ]:
df.head()