Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack
We can quickly identify this by searching for the event logs with the following:
SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
IN '4768' AND data LIKE 'Cert'
If you see that "A Kerberos authentication ticket (TGT) was requested" then you may have suffered an attack. It is important to note it is not 100% indicative of such and should be reviewed further.
NOTE: if you are not auditing these events via a Logging Policy on your servers, they will not appear by default.
Hi Alec Fagan without seeing your environment, it's very plausible. You should definitely enable auditing on your DCs moving forward.
Thanks for getting back to me, I updated the query and now got the status "finished – errors – no such table: 4768". I know we don't have Kerberos auditing turned on, that is most likely causing the table error, right?-Alec
Hi Alec Fagan,
I had an incorrect field posted by using the column "keywords." I modified the query to use the eventData field.
Full description of Event 4768 here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
Hope this helps!
My results say "finished - error -near success - syntax error". Any idea what I am doing wrong?