SIEM - Detect Replay Attack in Windows System


A replay attack (also known as playback attack) is a form of network attack in which a valid data transmission is maliciously or fraudulently repeated or delayed.

Detection

In windows infrastracture event id 4649 is generated on domain controller when KRB_AP_ERR_REPEAT Kerberos response was sent to the client. This event indicates that a Kerberos replay attack was detected- a request was received twice with identical information.

Domain controllers cache information from recently received tickets. If the server name, client name, time, and microsecond fields from the Authenticator match recently seen entries in the cache, it will return KRB_AP_ERR_REPEAT.

Log Sample
A replay attack was detected.

Subject:

Security ID:%1
Account Name:%2
Account Domain:%3
Logon ID:%4

Credentials Which Were Replayed:

Account Name:%5
Account Domain:%6

Process Information:

Process ID:%12
Process Name:%13

Network Information:
Workstation Name:%10

Detailed Authentication Information:

Request Type:%7
Logon Process:%8
Authentication Package:%9
Transited Services:%11


Note: It is to be noted that this event could be generated because of network misconfiguration or routing problems. Given any cases it is still recommended to investigate whenever this event occurs.

SIEM Rule:
query: event_id=4649

Interesting Fields:
Account Name
Account Domain
Workstation Name
Request Type

Comments

Popular posts from this blog

Windows - Event ID 4625 - An Account Failed to Logon

Windows - Event ID 4771 - Kerberos pre-authentication failed

Windows - Event ID 4624 - An Account was Successfully Logged on