Phoenix
Sigma IntelligenceBeta
Back to Rules
Detectionhightest

Kerberos Manipulation

Detects failed Kerberos TGT issue operation. This can be a sign of manipulations of TGT messages by an attacker.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch
Florian Roth (Nextron Systems)Created Fri Feb 10Updated Tue Jan 16f7644214-0eb0-4ace-9455-331ec4c09253windows
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
    selection:
        EventID:
            - 675
            - 4768
            - 4769
            - 4771
        Status:
            - '0x9'
            - '0xA'
            - '0xB'
            - '0xF'
            - '0x10'
            - '0x11'
            - '0x13'
            - '0x14'
            - '0x1A'
            - '0x1F'
            - '0x21'
            - '0x22'
            - '0x23'
            - '0x24'
            - '0x26'
            - '0x27'
            - '0x28'
            - '0x29'
            - '0x2C'
            - '0x2D'
            - '0x2E'
            - '0x2F'
            - '0x31'
            - '0x32'
            - '0x3E'
            - '0x3F'
            - '0x40'
            - '0x41'
            - '0x43'
            - '0x44'
    condition: selection
False Positives

Faulty legacy applications

References
1
Resolving title…
learn.microsoft.com
MITRE ATT&CK
Rule Metadata
Rule ID
f7644214-0eb0-4ace-9455-331ec4c09253
Status
test
Level
high
Type
Detection
Created
Fri Feb 10
Modified
Tue Jan 16
Author
Florian Roth (Nextron Systems)
Path
rules/windows/builtin/security/win_security_susp_kerberos_manipulation.yml
Raw Tags
attack.credential-accessattack.t1212
View on GitHub