Hey all,
Does anyone have a reliable method to find Active Directory Golden or Silver Tickets in the Bro Kerberos logs? I was planning to look into doing this (maybe based partially on expiration) but wanted to ask the list first. I appreciate any advice.
Thanks
Please correct me if I am wrong: Golden Tickts are generated using some special account and won't be sent to the "user" like normal TGTs. In that case, keeping track of the issued TGTs might allow to detect "self-generated" Golden Tickets. The same should apply for TGS in case of Silver Tickets.
As far as I know, expiration is usually quite high for Golden/Silver Tickets and thus can be used for detection. However, it should be easy for an attacker to adapt to default expiration times.
Jan
True but an important point about them is their lack of expiration, hence the need to redo the TGT credential after exploit. This would probably still be wise, but that is a primary motivation. I agree it would be interesting to audit tickets on the wire to ensure they appear to be consistent with policy.
If it helps, when I was recreating the attacks in MetaSploit, EMPIRE, and on engagements, I noticed following:
/DRSGetNCChanges.*/
/DRSCrackNames.*/
event dce_rpc_request(c: connection, fid: count, opnum: count, stub_len: count) &priority=5
When I observe that sort of traffic, not associated to a known AD controller, I use it as the IOC. I’m sure there is a far better way, but that’s my initial stab.
If you want a link to my detection script, I’ll share it.
Hello,
In the arp_main.bro script (https://gist.github.com/grigorescu/a28b814a8fb626e2a7b4715d278198aa), the global “arp_states” give this weird result :
[mac_addr=00:2c:7h:40:55:55, ip_addr=192.82.180.62, assoc_ips={\x0a\x09192.168.3.254,\x0a\x09192.168.1.254,\x0a\x09195.83.180.62,\x0a\x09192.168.2.254**\x0a**}, requests={\x0a\x0a}]
The part of arp_main script with the global arp_states :