AnsweredAssumed Answered

Kerberos Attacks - PyKEK

Question asked by Renato Goncalves on Aug 3, 2018
Latest reply on Aug 7, 2018 by Renato Goncalves

Hello,

Recently out pentest team used Pykek in one of our clients, monitored by NW, and we could not detect anything.

I was trying to create a rule but it can manifest by these premisses:

 

MS14-068 events may have one (or more) of these issues:
The Account Domain field is blank when it should be DOMAIN
The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
PyKEK: Account Name is a different account from the Security ID.

 

PyKEK MS14-068 Exploit (author Sylvain Monné)
Event ID: 4624 (Account Logon)The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
Account Name is a different account from the Security

 

IDEvent ID: 4768 (Kerberos TGS Request)
The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
Event ID: 4672 (Admin Logon)The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
Account Name is a different account from the Security ID

 

How can i create a rule with the premisse: Domain Name= FQDN ou Domain Name= blank ou even account name diferent from security ID?

 

Thanks

Outcomes