[Bro] Finding Golden Tickets in Kerberos Logs

Patrick Kelley pkelley at hyperionavenue.com
Mon Mar 5 11:32:30 PST 2018

If it helps, when I was recreating the attacks in MetaSploit, EMPIRE, and
on engagements, I noticed following:


event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len:
count) &priority=5

When I observe that sort of traffic, not associated to a known AD
controller, I use it as the IOC. I'm sure there is a far better way, but
that's my initial stab.

If you want a link to my detection script, I'll share it.

On Mon, Mar 5, 2018 at 9:07 AM, Clark Gaylord <cgaylord at vt.edu> wrote:

> True but an important point about them is their lack of expiration, hence
> the need to redo the TGT credential after exploit. This would probably
> still be wise, but that is a primary motivation. I agree it would be
> interesting to audit tickets on the wire to ensure they appear to be
> consistent with policy.
> --
> Clark Gaylord
> cgaylord at vt.edu
> ... Autocorrect may have improved this message
>     Brevity should not be interpreted as curtness ...
> On Mar 5, 2018 05:36, "Jan Grashöfer" <jan.grashoefer at gmail.com> wrote:
> On 27/02/18 20:49, brolist at vt.edu wrote:
> > Does anyone have a reliable method to find Active Directory Golden or
> > Silver Tickets in the Bro Kerberos logs? I was planning to look into
> doing
> > this (maybe based partially on expiration) but wanted to ask the list
> > first. I appreciate any advice.
> Please correct me if I am wrong: Golden Tickts are generated using some
> special account and won't be sent to the "user" like normal TGTs. In
> that case, keeping track of the issued TGTs might allow to detect
> "self-generated" Golden Tickets. The same should apply for TGS in case
> of Silver Tickets.
> As far as I know, expiration is usually quite high for Golden/Silver
> Tickets and thus can be used for detection. However, it should be easy
> for an attacker to adapt to default expiration times.
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro


Patrick Kelley
Hyperion Avenue Labs

*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*

[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180305/725f08fc/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180305/725f08fc/attachment-0001.bin 

More information about the Bro mailing list