none
Kerberos Unknown SIDs do exist in Server 2012 R2 RRS feed

  • Question

  • Hello Everyone

    I recently made a post about Kerberos TGT requests in my Server 2012 R2 the Event id: 4768 is this one:

     A Kerberos authentication ticket (TGT) was requested.
    Account Information:
     Account Name:  S-1-5-21-262885580-2243684832-3334250267-1001
     Supplied Realm Name: DomainName.LOCAL
     User ID:   NULL SID
    Service Information:
     Service Name:  krbtgt/DomainName.LOCAL
     Service ID:  NULL SID
    Network Information:
     Client Address:  ::1
     Client Port:  0
    Additional Information:
     Ticket Options:  0x40810010
     Result Code:  0x6
     Ticket Encryption Type: 0xFFFFFFFF
     Pre-Authentication Type: -
    Certificate Information:
     Certificate Issuer Name:  
     Certificate Serial Number: 
     Certificate Thumbprint:  
    Certificate information is only provided if a certificate was used for pre-authentication.

    Pre-authentication types, ticket options, encryption types and result codes are defined in RFC

    After a research that I did at my server looking at the domain controller I found out that the unknown Sids that trigger Kerberos TGT are: 

    S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

    And also the Unknown SID S-1-5-21-262885580-2243684832-3334250267-1001 is the object id of my domain Controller inside the Active directory users and computers / Domain Controllers

    Anyone knows what could possible trigger Kerberos TGT, I also have the Eset Admin Console on the server. 

    Wednesday, August 14, 2019 10:56 AM

All replies

  • Hi,

    Thanks for your question.

    Result Code 0x6 (The username doesn't exist), if you see, for example N events in last N minutes. This can be an indicator of account enumeration attack, especially for highly critical accounts.

    S-1-5-21-262885580-2243684832-3334250267-1153 is the object id of an old domain computer that I have it in the Active directory Users and Computers / Computers.

    Is this computer still in use, or this computer is no longer in the domain, you only need to delete it from ADUC.

    https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768

    Best regards,

    Lee


    Just do it.

    Thursday, August 15, 2019 7:10 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Wednesday, August 21, 2019 6:31 AM
    Moderator
  • Hi,

    Was your issue resolved?

    If you resolved it using our solution, please "mark it as answer" to help other community members find the helpful reply quickly.

    If you resolve it using your own solution, please share your experience and solution here. It will be very beneficial for other community members who have similar questions.

    If no, please reply and tell us the current situation in order to provide further help.

    Best Regards,

    Lee


    Just do it.

    Friday, September 6, 2019 12:28 PM
    Moderator