Under Review

Query for PetitPotam Events

Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack

We can quickly identify this by searching for the event logs with the following:

SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source,
provider_name, eventid, task_message, data
FROM sophos_windows_events
WHERE eventid
IN '4768' AND data LIKE 'Cert'

If you see that "A Kerberos authentication ticket (TGT) was requested" then you may have suffered an attack. It is important to note it is not 100% indicative of such and should be reviewed further.

NOTE: if you are not auditing these events via a Logging Policy on your servers, they will not appear by default.