Consider the following information regarding ADCS Attacks: https://community.sophos.com/b/security-blog/posts/petitpotam-attack
We can quickly identify this by searching for the event logs with the following:
SELECT datetime(time, 'unixepoch', 'localtime') AS EventTimeStamp, source, provider_name, eventid, task_message, data FROM sophos_windows_events WHERE eventid IN '4768' AND data LIKE 'Cert'
If you see that "A Kerberos authentication ticket (TGT) was requested" then you may have suffered an attack. It is important to note it is not 100% indicative of such and should be reviewed further.
NOTE: if you are not auditing these events via a Logging Policy on your servers, they will not appear by default.
-
Alec Fagan
-
Cancel
-
Vote Up
0
Vote Down
-
-
More
-
Cancel
-
JeramyKopacko
in reply to Alec Fagan
-
Cancel
-
Vote Up
0
Vote Down
-
-
More
-
Cancel
-
JeramyKopacko
in reply to Alec Fagan
-
Cancel
-
Vote Up
0
Vote Down
-
-
More
-
Cancel
Comment-
JeramyKopacko
in reply to Alec Fagan
-
Cancel
-
Vote Up
0
Vote Down
-
-
More
-
Cancel
Children