Hi.
Has anyone else been seeing these alerts? All look to be FP. I wonder if this rule needs tunning?
Looks like there is a new rule:
Attacker Behavior Analytics > Credential Access - Proxiable TGT and Vulnerable Service Tickets Requested (Kerberoasting, Raw) .
Is anyone else seeing a influx of these in their environment?
@antmar904 I see the influx of rules you are referring to, however this doesn’t seem to be impacting other customers across the board. The recommendation from the TIDE team would be to follow the recommendations. here from the rule:
If the activity is not expected, review asset authentication logs to establish the scope of activity, including all service tickets requested with vulnerable encryption schemes (most often RC4 - 0x17 in the event log). Every service account for which a ticket has been successfully requested by an attacker should be remediated (disable, reset credentials, end active sessions). Remediate the account that requested the initial TGT that was used to request service tickets. Scope for any lateral movement occurring after the time of compromise or unexpected process starts for impacted accounts.
To help prevent Kerberoasting attacks in the future, enforce AES256 encryption on all service accounts and maximize password length and complexity for all service accounts. Disable Kerberos RC4 encryption via Group Policy.
Also please note this rule was recently renamed to provide additional clarity, but it is not a new rule.
David
The alert itself does not contain any “service” accounts…
@david_smith would you have a moment for a call?
@antmar904 I’d like to take a look at these payloads, I’ve requested access to your account to review if you could approve.
Also we can continue this discussion via a support case to arrange a call.
David
approved thank you. i pretty much looked at all the payloads and they all seem to be FP
Enforcing an encryption standard higher than RC4 would stop this from occurring
David
Yeup, unfortunately we can’t ATM.
Hello.
Where you able to find anything interesting in the payloads?
Nothing that stood out to me, as you mentioned these are F+'s it would be best to craft an exclusion for the users it is occurring for I believe