Credential Theft using the Pass-The-Ticket method is not generating events in the Core server if the attack happens on the Core, Deployment Manager, or Domain Controller servers.
Example:
Using a proof of concept attack to mimic a Pass-The-Ticket attack.
Windows Event Viewer log entry from a Domain Controller.
Audit Success 3/27/2019 3:39:03 AM Security-Auditing 4769 Kerberos Service Ticket Operations __ A Kerberos service ticket was requested. __ Account Information: Account Name: ####@EXAMPLE.COM Account Domain: <Your Domain name> Logon GUID: {########-####-####-####-############} __ Service Information: Service Name: <SEP service account name> Service ID: <Service ID> __ Network Information: Client Address: ::ffff:##.###.##.### Client Port: 61611 __ Additional Information: Ticket Options: 0x810000 Ticket Encryption Type: 0x12 Failure Code: 0x0 Transited Services: - __ This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. __ This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120.
Despite the above Windows Event Viewer log entry, no detection alert in the Core server is seen for this Pass-The-Ticket attack.
Symantec Endpoint Protection Manager connected to a Core server with a non-default administrator account created in the Endpoint Manager.
We currently do not create alerts for any credential theft attacks when the source of the attack comes from a Core, Deployment Manager or Domain Controller server, as a part of our design. Because our Device Management component manages the deception account, it will trigger false positive alerts that will cause unwanted alert fatigue.