LoFP LoFP / t1558

t1558

TitleTags
administration activity
administrators or power users may use powerview for troubleshooting
administrators or power users may use search for accounts with kerberos pre authentication disabled for legitimate purposes.
although unlikely, administrators may need to set this flag for legitimate purposes.
although unlikely, legitimate applications may use the same command line parameters as rubeus. filter as needed.
an single endpoint requesting a large number of kerberos service tickets is not common behavior. possible false positive scenarios include but are not limited to vulnerability scanners, administration systems and missconfigured systems.
based on microsoft documentation, legacy systems or applications will use rc4-hmac as the default encryption for kerberos service ticket requests. specifically, systems before windows server 2008 and windows vista. newer systems will use aes128 or aes256.
false positive may include administrators using powerview for troubleshooting and management.
false positives are possible, filtering may be required to restrict to workstations vs domain controllers. filter as needed.
false positives may trigger the detections certain scenarios like directory service delays or out of date lookups. filter as needed.
http traffic on a non standard port. verify that the destination ip address is not related to a domain controller.
it is possible false positives will be present based on third party applications. filtering may be needed.
it is possible third party applications may add these spns to computer accounts, filtering may be needed.
it is possible third party applications may have a computer account that adds computer accounts, filtering may be required.
legacy applications.
normal enterprise spn requests activity
older systems that support kerberos rc4 by default like netapp may generate false positives. filter as needed
service accounts used on legacy systems (e.g. netapp)
unlikely
web browsers and third party application might generate similar activity. an initial baseline is required.
windows domains with dfl 2003 and legacy systems