Trying to work out if Defender for Identity Default Ruleset would alert on specific Win Event IDs
Im working in CTI and im trying to work out if defender for identity alerts on all the common attack types towards AD.
I have correlated all the relevant widows event IDs that are required to be monitored. Im trying to work out if Defender for Identity can capture all these types based on this?
For example.
Event ID Source Description
4738, 5136Domain ControllersThese events are generated when a user account is changed. Malicious actors can modify user objects and add a SPN so they can retrieve their Kerberos service ticket. Once the Kerberos service ticket has been retrieved, the user object is modified again and the SPN removed.Would this be spotted and alerted by Defender for ID?4769Domain Controllers
This event is generated when a TGS ticket is requested. When malicious actors execute Kerberoasting, event 4769 is generated for each TGS ticket that is requested for a user object
Malicious actors commonly try to retrieve TGS tickets with Rivest Cipher 4 (RC4) encryption as these tickets are easier to crack to reveal their cleartext password. If a TGS is requested with RC4 encryption, then the Ticket Encryption type contains the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with RC4 encryption, making it easier to identify potential Kerberoasting activity.
Common offensive security tools used by malicious actors to perform Kerberoasting will set the Ticket Options value to ‘0x40800000’ or ‘0x40810000’. These values determine the capabilities of the TGS ticket and how it can be used by malicious actors. As these Ticket Options values are commonly used by offensive security tools to perform Kerberoasting, they can be used to identify Kerberoasting activity.
Would this be spotted and alerted by Defender for ID?
Im working in CTI and im trying to work out if defender for identity alerts on all the common attack types towards AD.I have correlated all the relevant widows event IDs that are required to be monitored. Im trying to work out if Defender for Identity can capture all these types based on this?For example.Event ID Source Description 4738, 5136Domain ControllersThese events are generated when a user account is changed. Malicious actors can modify user objects and add a SPN so they can retrieve their Kerberos service ticket. Once the Kerberos service ticket has been retrieved, the user object is modified again and the SPN removed.Would this be spotted and alerted by Defender for ID?4769Domain ControllersThis event is generated when a TGS ticket is requested. When malicious actors execute Kerberoasting, event 4769 is generated for each TGS ticket that is requested for a user objectMalicious actors commonly try to retrieve TGS tickets with Rivest Cipher 4 (RC4) encryption as these tickets are easier to crack to reveal their cleartext password. If a TGS is requested with RC4 encryption, then the Ticket Encryption type contains the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with RC4 encryption, making it easier to identify potential Kerberoasting activity.Common offensive security tools used by malicious actors to perform Kerberoasting will set the Ticket Options value to ‘0x40800000’ or ‘0x40810000’. These values determine the capabilities of the TGS ticket and how it can be used by malicious actors. As these Ticket Options values are commonly used by offensive security tools to perform Kerberoasting, they can be used to identify Kerberoasting activity.Would this be spotted and alerted by Defender for ID? Read More