[Bro] Finding Golden Tickets in Kerberos Logs
Patrick Kelley
pkelley at hyperionavenue.com
Mon Mar 5 11:32:30 PST 2018
If it helps, when I was recreating the attacks in MetaSploit, EMPIRE, and
on engagements, I noticed following:
/DRSGetNCChanges.*/
|/DRSCrackNames.*/
event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len:
count) &priority=5
When I observe that sort of traffic, not associated to a known AD
controller, I use it as the IOC. I'm sure there is a far better way, but
that's my initial stab.
If you want a link to my detection script, I'll share it.
On Mon, Mar 5, 2018 at 9:07 AM, Clark Gaylord <cgaylord at vt.edu> wrote:
> True but an important point about them is their lack of expiration, hence
> the need to redo the TGT credential after exploit. This would probably
> still be wise, but that is a primary motivation. I agree it would be
> interesting to audit tickets on the wire to ensure they appear to be
> consistent with policy.
>
> --
> Clark Gaylord
> cgaylord at vt.edu
> ... Autocorrect may have improved this message
> Brevity should not be interpreted as curtness ...
>
> On Mar 5, 2018 05:36, "Jan Grashöfer" <jan.grashoefer at gmail.com> wrote:
>
> On 27/02/18 20:49, brolist at vt.edu wrote:
> > Does anyone have a reliable method to find Active Directory Golden or
> > Silver Tickets in the Bro Kerberos logs? I was planning to look into
> doing
> > this (maybe based partially on expiration) but wanted to ask the list
> > first. I appreciate any advice.
>
> Please correct me if I am wrong: Golden Tickts are generated using some
> special account and won't be sent to the "user" like normal TGTs. In
> that case, keeping track of the issued TGTs might allow to detect
> "self-generated" Golden Tickets. The same should apply for TGS in case
> of Silver Tickets.
>
> As far as I know, expiration is usually quite high for Golden/Silver
> Tickets and thus can be used for detection. However, it should be easy
> for an attacker to adapt to default expiration times.
>
> Jan
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
>
>
> _______________________________________________
> Bro mailing list
> bro at bro-ids.org
> http://mailman.ICSI.Berkeley.EDU/mailman/listinfo/bro
>
--
Patrick Kelley
Hyperion Avenue Labs
http://www.hyperionavenue.com
951.291.8310
*The limit to which you have accepted being comfortable is the limit to
which you have grown. Accept new challenges as an opportunity to enrich
yourself and not as a point of potential failure.*
[image: hal_logo]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180305/725f08fc/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 12155 bytes
Desc: not available
Url : http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180305/725f08fc/attachment-0001.bin
More information about the Bro
mailing list