Skip to content

<<< Hide Navigation Hide TOC >>>

Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc)

Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:

  • Kerberos TGT and Service Tickets (Event IDs 4768, 4769)
  • NTLM Authentication Events
  • LDAP Bind Requests

Data Collection Measures:

  • Security Event Logging:
    • Enable "Audit Kerberos Authentication Service" or "Audit Kerberos Service Ticket Operations."
    • Captured Events: IDs 4768, 4769, 4624.
  • Windows Event Forwarding (WEF): Forward domain controller logs to SIEM.
  • SIEM Integration: Use tools like Splunk or Azure Sentinel for log analysis.
  • Kerberos Debug Logging:
    • Registry Key: HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
    • Set DWORD LogLevel to 1.
  • Azure AD Logs: Monitor Sign-In Logs for authentication and policy issues.
  • Enable EDR Monitoring:
    • Use EDR to detect suspicious processes querying authentication mechanisms (e.g., lsass.exe memory access).
Galaxy Colorsmitre-data...Attack Pat...
Rows: 13
Loading extensions...
Collapse filters
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, [empty], [nonempty], rgx:
Learn more

TableFilter v0.7.2

https://www.tablefilter.com/
©2015-2025 Max Guglielmi
?
Cluster A Galaxy A Cluster B Galaxy B Level
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern 1
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 1
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component 1
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 1
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 1
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 1
Active Directory Credential Request (02d090b6-8157-48da-98a2-517f7edd49fc) mitre-data-component Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 1
AS-REP Roasting - T1558.004 (3986e7fd-a8e9-4ecb-bfc6-55920855912b) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 2
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2