Saturday, November 25, 2017

Windows - Event ID 4771 - Kerberos pre-authentication failed


Event id 4771 - Kerberos pre-authentication failed

Json log sample

{
"EventTime": "2017/11/17 04:04:12"
"Hostname": "gh2dcs-adc1.changeme.com"
"Keywords": -9218868437227405312
"EventType": "AUDIT_FAILURE"
"SeverityValue": 4
"Severity": "ERROR"
"EventID": 4771
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 14339
"OpcodeValue": 0
"RecordNumber": 2975426997
"ProcessID": 772
"ThreadID": 17256
"Channel": "Security"
"Message": "Kerberos pre-authentication failed."
"Category": "Kerberos Authentication Service"
"Opcode": "Info"
"TargetUserName": "SD002931"
"TargetSid": "S-1-5-21-1210427511-1310429627-2740863702-30071"
"ServiceName": "krbtgt/changeme.com"
"TicketOptions": "0x40810010"
"Status": "0x18"
"PreAuthType": "2"
"IpAddress": "::ffff:192.168.248.99"
"IpPort": "64317"
"EventReceivedTime": "2017/11/17 04:04:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}

This event is logged on domain controllers only and only failure instances of this event are logged. 

When user enters his/her domain username and password, the workstation contacts a local DC and requests a TGT. If authentication is successful, the domain controller grants the TGT and logs event ID 4768 (authentication ticket granted). However, if the ticket request fails either 4768 or 4771 is generated with type failure. To find information of user look at the Account Information: fields. This identifies the user who logged on. The User ID field provides the SID of the account. 

Note: Windows logs other instances of event ID 4768 when a computer in the domain needs to authenticate to the DC typically when a workstation boots up or a server restarts. In these instances, you'll find a computer name in the User Name and fields. Computer generated kerberos events are always identifiable by the $ after the computer account's name.

Target User Information:
"TargetUserSid" -> SID of an account
"TargetUserName" -> user who logged in
"TargetDomainName" -> domain name of user

This provides an information about the user who was just granted an authentication.

Pre Authentication Type
"PreAuthType" -> This defines authentication types

pre_authentication_typeauthentication_type
0Logon without Pre-Authentication
2Standard password authentication
11ETYPE-INFO
15Smart Card logon authentication
17Smart Card authentication
19ETYPE-INFO2
20KDC Referrals tickets
138Kerberos Armoring (FAST)


Status:

statusreasondescription
0x0No error
0x1Client's entry in database has expired
0x2Server's entry in database has expired
0x3Requested protocol version # not supported
0x4Client's key encrypted in old master key
0x5Server's key encrypted in old master key
0x6Client not found in Kerberos databaseBad user name, or new computer/user account has not replicated to DC yet
0x7Server not found in Kerberos database New computer account has not replicated yet or computer is pre-w2k
0x8Multiple principal entries in database
0x9The client or server has a null key administrator should reset the password on the account
0xATicket not eligible for postdating
0xBRequested start time is later than end time
0xCKDC policy rejects requestWorkstation restriction
0xDKDC cannot accommodate requested option
0xEKDC has no support for encryption type
0xFKDC has no support for checksum type
0x10KDC has no support for padata type
0x11KDC has no support for transited type
0x12Clients credentials have been revokedAccount disabled, expired, locked out, logon hours.
0x13Credentials for server have been revoked
0x14TGT has been revoked
0x15Client not yet valid - try again later
0x16Server not yet valid - try again later
0x17Password has expiredThe user's password has expired.
0x18Pre-authentication information was invalidUsually means bad password
0x19Additional pre-authentication required*
0x1FIntegrity check on decrypted field failed
0x20Ticket expiredFrequently logged by computer accounts
0x21Ticket not yet valid
0x21Ticket not yet valid
0x22Request is a replay
0x23The ticket isn't for us
0x24Ticket and authenticator don't match
0x25Clock skew too greatWorkstations clock too far out of sync with the DCs
0x26Incorrect net address IP address change?
0x27Protocol version mismatch
0x28Invalid msg type
0x29Message stream modified
0x2AMessage out of order
0x2CSpecified version of key is not available
0x2DService key not available
0x2EMutual authentication failed may be a memory allocation failure
0x2FIncorrect message direction
0x30Alternative authentication method required*
0x31Incorrect sequence number in message
0x32Inappropriate type of checksum in message
0x3CGeneric error (description in e-text)
0x3DField is too long for this implementation

Network Information:
"IpAddress" -> IP address of the computer where the user is physically present
"IpPort" -> source TCP port of the logon request
"WorkstationName" -> the computer name of the computer where the user is physically present.  Workstation may be blank in some Kerberos logons.

No comments:

Post a Comment

SIEM and Security - Ransomware Kill Chain

Malware Distribution Malware is distributed using various methods. Most often it is via email. Therefore, look for incoming file ...