On 21.10.2013 09:46, Randy Dover wrote:
We have been getting a lot of the following messages:
WinEvtLog: Security: AUDIT_FAILURE(4768):
Microsoft-Windows-Security-Auditing: (no user): no domain:
DomainController.FQDN: A Kerberos authentication ticket (TGT) was
requested. Account Information: Account Name: UserName Supplied Realm
Name: DomainName User ID: S-1-0-0 Service Information: Service Name:
krbtgt/DomainName Service ID: S-1-0-0 Network Information: Client
Address: ::ffff:#.#.#.# (EmailServerIPAddress) Client Port: 14670
Additional Information: Ticket Options: 0x40810010 Result Code: 0x17
Ticket Encryption Type: 0xffffffff Pre-Authentication Type: -
Certificate Information: Certificate Issuer Name: Certificate Serial
Number: Certificate Thumbprint: Certificate information is only
provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options, encryption types and result
codes are defined in RFC 4120
I filter these out and will probably make a change to the core ruleset
to filter them out by default in the future. These indicate whether or
not a Kerberos ticket was successfully granted, not necessarily a
valid/invalid logon. According to Microsoft:
Does not contain any additional information if audit details from logon
events 528 and 540 are already being collected. This event records that
a Kerberos TGT was granted, actual access will not occur until a service
ticket is granted, which is audited by Event 673. If the PATYPE is
PKINIT, the logon was a smart card logon.
Bottom line: If you filter these out then you should still see multiple
failed logon alerts as you would expect.
--
---
You received this message because you are subscribed to the Google Groups "ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
