ETW - Authentication - Active Directory Domain Services (Domain Controllers)

Channel: Security.
Events: 4776, 4768, 4769, 4771, 4624, 4625.

Overview

Channel	Conditions	Events
`Security`	Default configuration. For `NTLM` successful or failed authentication attempts.	Event `4776: The domain controller attempted to validate the credentials for an account`. If the `Result Code` field is not equal to `0x0` the authentication failed. The event is associated with the computer from which the logon attempt originated and does not identify the target service. This event is also logged for non Domain Controllers, on the target computer, for logon attempts with local `SAM` accounts.
`Security`	Default configuration. For `Kerberos` ticket request and usage.	If the user has not already retrieved a `TGT` during the session opening on the source host: Event `4768: A Kerberos authentication ticket (TGT) was requested`. If the `Result Code` field is not equal to `0x0` the request failed (but not for a failed authentication). Event `4769: A Kerberos service ticket was requested`. The `ServiceName` and `ServiceSid` fields indicate the service the `service ticket` is requested for. However, for lateral movement, the service and service `SID` are often set to the destination machine account, with no information on the actual service targeted (`RPC`, `CIFS`, etc.).
`Security`	Default configuration. For `Kerberos` failed authentication attempts.	Event `4771: Kerberos pre-authentication failed`. For authentication failures over Kerberos (in case of password spraying or bruteforce over Kerberos for instance).
`Security`	Default configuration. As part of an interactive session opening.	Event `4624: An account was successfully logged on`, with `LogonType` `3` (for the user opening the session on the remote destination).
`Security`	Default configuration.	Event `4625: An account failed to log on`. For authentication failures over NTLM.

Specificities of Domain Controller: authentication versus interactive session opening

As the Domain Controllers only handle the authentication, and will not open a login session in this scenario, no 4624 or 4625 events will be logged.

However, for a remote interactive logon on a domain-joined destination host, a 4624 event of LogonType 3 (and 4768 + 4769 events) will be logged on a Domain Controller (potentially different from the one that processed the authentication from the source host) originating from the destination host (as part of the interactive session opening process).

Tags:

View on GitHub