Skip to content

Commit acdfb59

Browse files
AyeshaAz36AyeshaAz36
committed
images and tables
1 parent 8263800 commit acdfb59

File tree

12 files changed

+98
-100
lines changed

12 files changed

+98
-100
lines changed

docs/threatprevention/7.4/admin/analytics/baduseriduser.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -20,12 +20,12 @@ Configure the day limit to 30 days.
2020
:::
2121

2222

23-
| Bad User ID (by user) | |
24-
| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
25-
| Definition | Pre-authentication failures using one or more non-existing user IDs |
23+
| Bad User ID (by user) | |
24+
| --------------------- | ------------- |
25+
| Definition | Pre-authentication failures using one or more non-existing user IDs |
2626
| Example | Malware or a bad-actor is attempting to obtain access by guessing a user ID and password but has provided a user ID that does not exist. Most operating systems and devices have default administrative accounts such as “administrator” or “admin”. Because the account name is known, if left unchanged, the account becomes vulnerable to attack. To prevent this, most organizations change the name of these accounts. In the case where the account has been renamed, a perpetrator attempting to hack a well-known account will actually be attempting to authenticate against an account that does not exist and will be detected by this analytic. This analytic looks for attacks, regardless of source, against non-existing accounts. |
27-
| Trigger | Any number of failed authentication attempts made by a non-existing account |
28-
| Recommended Settings | Bad User ID (by user) groups attacks by account name where every new non-existing account will generate an analytic hit. The user-configurable parameter is based on time, where time is used to visualize how often an attempt is made to authenticate using the same non-existing account name. Netwrix recommends setting the default value to 30 days. If an attempt to use that same non-existing account name occurs after the 30 day time period, a new analytic hit will be produced rather than incrementing the previous hit count. |
27+
| Trigger | Any number of failed authentication attempts made by a non-existing account |
28+
| Recommended Settings | Bad User ID (by user) groups attacks by account name where every new non-existing account will generate an analytic hit. The user-configurable parameter is based on time, where time is used to visualize how often an attempt is made to authenticate using the same non-existing account name. <br />Netwrix recommends setting the default value to 30 days. If an attempt to use that same non-existing account name occurs after the 30 day time period, a new analytic hit will be produced rather than incrementing the previous hit count. |
2929

3030
**Analytic Workflow**
3131

docs/threatprevention/7.4/admin/analytics/forgedpac.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -11,12 +11,12 @@ modified PAC. By manipulating the PAC, a field in the Kerberos ticket that conta
1111
authorization data (in Active Directory, this is group membership), an attacker is able to grant
1212
themselves elevated privileges.
1313

14-
| Forged PAC | |
15-
| -------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
16-
| Definition | Kerberos tickets with modified Privilege Account Certificate (PAC) |
17-
| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. A known vulnerability exists where PAC part of a ticket can be modified to include groups the user is not a member of. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
18-
| Trigger | PAC of the ticket contains RIDs that are not TokenGroups attribute. |
19-
| Recommended Settings | No additional configuration needed |
14+
| Forged PAC | |
15+
| -------------------- | ---------------- |
16+
| Definition | Kerberos tickets with modified Privilege Account Certificate (PAC) |
17+
| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. <br />A known vulnerability exists where PAC part of a ticket can be modified to include groups the user is not a member of. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
18+
| Trigger | PAC of the ticket contains RIDs that are not TokenGroups attribute. |
19+
| Recommended Settings | No additional configuration needed |
2020

2121
**Analytic Workflow**
2222

docs/threatprevention/7.4/admin/analytics/goldenticket.md

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,12 @@ authenticates, the ticket is checked against the maximum ticket lifetime and max
1212
configured within this analytic type. Any ticket that exceeds either ‘maximum’ will trigger an
1313
incident.
1414

15-
| Golden Tickets | |
16-
| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
17-
| Definition | Kerberos tickets with modified maximum lifetimes for a user ticket and maximum lifetimes for a user ticket renewal |
18-
| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. On TGT expiry, the user account is checked for validity (password, enabled/disabled, group memberships, etc.) and a new TGT is granted. A known vulnerability exists where a domain admin could forge the TGT renewal time, creating an indefinite “golden” ticket. This could be accomplished, and then the underlying account removed, allowing the user to obtain admin access forever with an account that no longer exists. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
19-
| Trigger | Maximum lifetime for a user ticket > than X hours OR Maximum lifetime for a user ticket renewal > Y days |
20-
| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if the maximum lifetime for a user ticket is greater than 24 hours or the maximum lifetime for a user ticket renewal is greater than 30 days. |
15+
| Golden Tickets | |
16+
| -------------------- | --------------- |
17+
| Definition | Kerberos tickets with modified maximum lifetimes for a user ticket and maximum lifetimes for a user ticket renewal |
18+
| Example | Kerberos tickets are used as a sort of “pass card” to obtain access to resources. Once a domain controller authenticates a user, a TGT (ticket granting ticket) is granted with a limited lifespan. This is then used to obtain TGS (ticket granting service) and the TGS is what identifies a user to a resource on the network. <br />On TGT expiry, the user account is checked for validity (password, enabled/disabled, group memberships, etc.) and a new TGT is granted. A known vulnerability exists where a domain admin could forge the TGT renewal time, creating an indefinite “golden” ticket. This could be accomplished, and then the underlying account removed, allowing the user to obtain admin access forever with an account that no longer exists. If a user on the network were to attempt to use such a ticket, this analytic would detect the altered ticket and generate an alert. |
19+
| Trigger | Maximum lifetime for a user ticket > than X hours <br />OR <br />Maximum lifetime for a user ticket renewal > Y days |
20+
| Recommended Settings | Netwrix recommends configuring this analytic to trigger a hit if the maximum lifetime for a user ticket is greater than 24 hours or the maximum lifetime for a user ticket renewal is greater than 30 days. |
2121

2222
**Analytic Workflow**
2323

0 commit comments

Comments
 (0)