search cancel

Credential Theft using the Pass-The-Ticket method is not generating events in Core

book

Article ID: 174320

calendar_today

Updated On:

Products

Endpoint Protection Endpoint Threat Defense for Active Directory

Issue/Introduction

Credential Theft using the Pass-The-Ticket method is not generating events in Core if the attack happens on the Core, Deployment Manager, or Domain Controller servers.

Example:

Using a proof of concept attack to mimic a Pass-The-Ticket attack.

Windows Event Viewer log entry from a Domain Controller.

Audit Success    3/27/2019 3:39:03 AM  Security-Auditing             4769       Kerberos Service Ticket Operations
 __ A Kerberos service ticket was requested.

 __ Account Information:
                Account Name:                     [email protected]
                Account Domain:                  JVNDC.COM
                Logon GUID:                          {425bc346-ae41-4582-5e50-206f47e5eac9}

 __ Service Information:
                Service Name:                       SEPJAVINTG$
                Service ID:                         JVNDC\SEPJAVINTG$

 __ Network Information:
                Client Address:                      ::ffff:10.218.20.71
                Client Port:                            61611

 __ Additional Information:
                Ticket Options:                      0x810000
                Ticket Encryption Type:       0x12
                Failure Code:                         0x0
                Transited Services:                -

 __ This event is generated every time access is requested to a resource such as a computer or a Windows service.  The service name indicates the resource to which access was requested.

 __ This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.  The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

 Ticket options, encryption types, and failure codes are defined in RFC 4120.

 

Despite the above Windows Event Viewer log entry, no detection alert in the Core server is seen for this Pass-The-Ticket attack

Environment

Symantec Endpoint Protection Manager connected to a Core server with a non default administrator account created in the Endpoint Manager.

Resolution

We currently do not create alerts for any credential theft attacks when the source of the attack comes from a Core, Deployment Manager or Domain Controller server as a part of our design. Because our Device Management component manages the deception account, it will trigger false positive alerts that will cause unwanted alert fatigue.