https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-identify-which-host-the-user-is-trying-to-access-by-using/m-p/486473#M8021 <P>This <EM>might</EM> be possible with NTLM authentication, but Kerberos doesn't work that way.</P> <P>With Kerberos, user A interacts with DC B from host A, then proceeds directly to host C with its service ticket in hand for the service(s) running on host C.</P> <P>Under NTLM, host C will challenge user A to authenticate, which host C <EM>might</EM> verify with DC B (it very well could be some other domain controller). I think only with NTLM will you possibly see host C authenticating user A on DC B, but only if host C uses DC B...</P> <P>Check this page for a decent graphic on how NTLM works:<BR /> <A href="https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666">https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666</A></P> <P>And this page for how Kerberos works:<BR /> <A href="https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4768.html">https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4768.html</A></P> <P>I think the only way to make sure you capture this would be to turn on security auditing/logging on host C.</P> <P>Hope that helps!<BR /> rmmiller</P> Thu, 09 Apr 2020 01:19:05 GMT rmmiller 2020-04-09T01:19:05Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-identify-which-host-the-user-is-trying-to-access-by-using/m-p/486472#M8020 <P>This question may not 100% related with Splunk but I am sure Splunker had done this many times so I thought I will just ask</P> <P>I want to identify the real destination when user logon a host using authenticate through DC like Kerobers or NTLM. I looked at event 4624, 4768,4771 on the DC log, they only have real src information, but I cant find the real dest information in these event. Is there another event I should look at or it is some field is missing on these events? my example as below</P> <P>user A using host A to logon to host C by go through DC B. and I only collect log at DC B, so I want to know how to identify the host C information from the log in this scenario.</P> <P>Thank you in advanced.</P> Fri, 06 Mar 2020 07:02:21 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-identify-which-host-the-user-is-trying-to-access-by-using/m-p/486472#M8020 samlinsongguo 2020-03-06T07:02:21Z https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-identify-which-host-the-user-is-trying-to-access-by-using/m-p/486473#M8021 <P>This <EM>might</EM> be possible with NTLM authentication, but Kerberos doesn't work that way.</P> <P>With Kerberos, user A interacts with DC B from host A, then proceeds directly to host C with its service ticket in hand for the service(s) running on host C.</P> <P>Under NTLM, host C will challenge user A to authenticate, which host C <EM>might</EM> verify with DC B (it very well could be some other domain controller). I think only with NTLM will you possibly see host C authenticating user A on DC B, but only if host C uses DC B...</P> <P>Check this page for a decent graphic on how NTLM works:<BR /> <A href="https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666">https://medium.com/@m8r0wn/internal-information-disclosure-using-hidden-ntlm-authentication-18de17675666</A></P> <P>And this page for how Kerberos works:<BR /> <A href="https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4768.html">https://www.manageengine.com/products/active-directory-audit/kb/windows-security-log-event-id-4768.html</A></P> <P>I think the only way to make sure you capture this would be to turn on security auditing/logging on host C.</P> <P>Hope that helps!<BR /> rmmiller</P> Thu, 09 Apr 2020 01:19:05 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/How-to-identify-which-host-the-user-is-trying-to-access-by-using/m-p/486473#M8021 rmmiller 2020-04-09T01:19:05Z