Active Directory Credential Request

Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:

Data Collection Measures:

Security Event Logging:
- Enable "Audit Kerberos Authentication Service" or "Audit Kerberos Service Ticket Operations."
- Captured Events: IDs 4768, 4769, 4624.
Windows Event Forwarding (WEF): Forward domain controller logs to SIEM.
SIEM Integration: Use tools like Splunk or Azure Sentinel for log analysis.
Kerberos Debug Logging:
- Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
- Set DWORD LogLevel to 1.
Azure AD Logs: Monitor Sign-In Logs for authentication and policy issues.
Enable EDR Monitoring:
- Use EDR to detect suspicious processes querying authentication mechanisms (e.g., lsass.exe memory access).

ID: DC0084

Domains: Enterprise

Version: 2.0

Created: 20 October 2021

Last Modified: 22 October 2025

Log Sources

Name	Channel
linux:syslog	Unusual kinit or klist activity
WinEventLog:Kerberos	Kerberos TGS-REQ anomalies without KDC validation (Silver Ticket behavior)
WinEventLog:Security	EventCode=4768
WinEventLog:Security	EventCode=4769
WinEventLog:Security	EventCode=4929

ID	Name	Technique Detected
DET0113	Detect AS-REP Roasting Attempts (T1558.004)	T1558.004
DET0144	Detect Forged Kerberos Golden Tickets (T1558.001)	T1558.001
DET0241	Detect Forged Kerberos Silver Tickets (T1558.002)	T1558.002
DET0157	Detect Kerberoasting Attempts (T1558.003)	T1558.003
DET0522	Detect Kerberos Ticket Theft or Forgery (T1558)	T1558
DET0276	Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse	T1207
DET0240	Detection Strategy for Steal or Forge Authentication Certificates	T1649
DET0409	Detection Strategy for T1550.002 - Pass the Hash (Windows)	T1550.002
DET0352	Detection Strategy for T1550.003 - Pass the Ticket (Windows)	T1550.003