Eric Partington

Kerberos Log Event Odditites

Blog Post created by Eric Partington Employee on Dec 2, 2016

[Updated with a 4th use case around NTLM failed authentications with unusual failure codes (result.code) ]

 

After seeing a few recent Twitter conversations regarding Kerberos Odd Events I decided to see who NetWitness would see those events and potentially report and chart them.

 

This is the output of a few web pages and twitter post ideas.  Please test these out in your environment and let me know if there are any improvements or additional filtering that can be done to improve the fidelity of the output. 

 

I don't have a full domain to test with so my data set is limited and there are probably improvements that can be made.

 

Three Four areas that were looked at were:

  • Kerberos Ticket Encryption Types
  • Odd Kerberos Failure codes
  • Kerberos Target Domains
  • Odd NTLM Failure codes

 

The included report can be run to give you ideas where the information came from and potentially other items to look for in the dataset (apparently ::ffff is a legitemate failure and could be filtered from the Ticket Encryption types) and there were potential ways to detect Golden/Silver tickets as well as Mimikatz with the Target Domain (but i have yet to validate those).

 

Included are:

  • Dashboard (1)
  • Charts (4)
  • Report (1)
  • Rules (4)
  • List(2)

The List can be used to help focus the Odd Kerberos Fail codes if required)

All import into the same folder structure

Log -> Windows

 

As always, test and let me know if this provides value and helps bring visibility to a part of your network that is important.

 

Outcomes