About Dustem

Dustem · ‎10-30-2023

We refer to the golden ticket attack, according to the Kerberos mechanism, a prerequisite for a service ticket request is a user ticket request (or renewal of an existing ticket). When this is not the case and we do not see a corresponding prior login event, the user ticket is suspected to be forged or stolen from another machine. So the logic of the detection is that one of the following corresponding events does not occur before the service ticket request (Eventcode=4769): 1. user ticket (TGT) request (Eventcode=4768). 2. ticket renewal request (Eventcode=4770). 3. Login event (Eventcode=4624).

gcusello · ‎09-19-2023

Hi @Dustem , good for you, see next time! let me know if I can help you more, or, please, accept one answer for the other people of Community. Ciao and happy splunking Giuseppe P.S.: Karma Points are appreciated 😉

gcusello · ‎09-07-2023

Hi @Dustem, let me understand: 4768 or 4770 should be before the 4769 and you want an alert if tey are missing or tey aren't before, is is correct? Ciao. Giuseppe

Dustem · ‎09-06-2023

hi guys, I want to detect that more than 10 different ports of the same host are sniffed and scanned every 15 minutes and triggered 5 times in a row, then the alarm; If the same time period is triggered for three consecutive days, the alarm is triggered.

Posts	16
Solutions	0
Karma Given	0
Karma Received	1
Member Since	‎09-06-2023

Online Status	Offline
Date Last Visited	‎11-13-2023 11:02 PM

Using stolen or forged tickets (TGT)

Scan Behavior: How to query the trigger for the sa...

Using stolen or forged user tickets (TGT)

Slow scanning

Re: Using stolen or forged tickets (TGT)

Re: Scan Behavior

Re: Using stolen or forged user tickets (TGT)

Slow scanning

Join the Conversation