Security Log Deep Dive: Mapping Active Directory Authentication and Account Management Events to MITRE ATT&CK TTPs

Webinar Registration

When you look at threat reports from the big cyber security response practices, attacks utilizing compromised or fraudulent credentials are a disproportionate hot spot. So, it makes sense to look for that in your threat hunting. But where do you start? The answer is MITRE ATT&CK. In this real training for free session we will identify the tactics, techniques and procedures (TTPs) in attack where compromised and fraudulent credentials feature.

But MITRE ATT&CK TTPs only give you a systematic and comprehensive framework for refining your threat hunting efforts. At a literal, technical level where do you look? What’s the raw data? In today’s networks, even including the cloud, all roads lead to Active Directory. And the raw data for finding attacks on AD credentials is there in the form of the cryptic, fractured and voluminous Windows Security Log.

In this highly technical event, we’ll roll up our sleeves and get our hands dirty with account management events like 4720 and authentication events like:

4768 - A Kerberos authentication ticket (TGT) was requested

4769 - A Kerberos service ticket was requested

4771 - Kerberos pre-authentication failed

I’ll explain what these events mean but the best part is yet to come. These events individually have limited value and classic SIEM rules can’t really tease out the kinds of attacks we are looking for. For years I’ve essentially dreamed about multi-faceted queries I wish I could run against these AD security events to find the proverbial needle in the haystack but its technology just wasn’t there. 

That is changing and in this session we will close the loop between MITRE ATT&CK TTPs and deep analysis of AD security events to recognize malicious activity that is difficult to distinguish from innocent day-to-day operations.

Exabeam is our sponsor and Andy Skrei will show you an array of their Threat Hunter queries that automate the analytics I’ve shown you to find credential related attacks against AD using these events from the Security Log.

Please join us for this real training for free event.

First Name:   
Last Name:   
Work Email:  
Phone:  
Job Title:  
Organization:  
Country:    
City:  
State:  
Zip/Postal Code:  
Company Size:
Industry:
 

Your information will be shared with the sponsor.

By clicking "Submit", you're agreeing to our Privacy Policy and consenting to be contacted by us.

 

 

Additional Resources