none
Kerberos Unknown SIDs do exist in Server 2012 R2 RRS feed

  • Question

  • Hello Everyone

    I recently made a post about Kerberos TGT requests in my Server 2012 R2 the Event id: 4768 is this one:

     A Kerberos authentication ticket (TGT) was requested.
    Account Information:
     Account Name:  S-1-5-21-262885580-2243684832-3334250267-1001
     Supplied Realm Name: DomainName.LOCAL
     User ID:   NULL SID
    Service Information:
     Service Name:  krbtgt/DomainName.LOCAL
     Service ID:  NULL SID
    Network Information:
     Client Address:  ::1
     Client Port:  0
    Additional Information:
     Ticket Options:  0x40810010
     Result Code:  0x6
     Ticket Encryption Type: 0xFFFFFFFF
     Pre-Authentication Type: -
    Certificate Information:
     Certificate Issuer Name:  
     Certificate Serial Number: 
     Certificate Thumbprint:  
    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC

    After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are: 

    S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

    And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers

    Anyone knows what could possible trigger Kerberos TGT, I also have the Eset Admin Console on the server. 

    Wednesday, August 14, 2019 10:56 AM

All replies

  • Hi,

    Thanks for your question.

    Result Code 0x6 (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts.

    S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

    Is this computer still in use, or this computer is no longer in the domain, you only need to delete it from ADUC.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768

    Best regards,

    Lee


    Just do it.

    Thursday, August 15, 2019 7:10 AM
    Moderator