Forum Discussion
Trying to work out if Defender for Identity Default Ruleset would alert on specific Win Event IDs
Im working in CTI and im trying to work out if defender for identity alerts on all the common attack types towards AD.
I have correlated all the relevant widows event IDs that are required to be monitored. Im trying to work out if Defender for Identity can capture all these types based on this?
For example.
Event ID Source Description
| 4738, 5136 | Domain Controllers | These events are generated when a user account is changed. Malicious actors can modify user objects and add a SPN so they can retrieve their Kerberos service ticket. Once the Kerberos service ticket has been retrieved, the user object is modified again and the SPN removed. | Would this be spotted and alerted by Defender for ID? |
| 4769 | Domain Controllers | This event is generated when a TGS ticket is requested. When malicious actors execute Kerberoasting, event 4769 is generated for each TGS ticket that is requested for a user object Malicious actors commonly try to retrieve TGS tickets with Rivest Cipher 4 (RC4) encryption as these tickets are easier to crack to reveal their cleartext password. If a TGS is requested with RC4 encryption, then the Ticket Encryption type contains the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with RC4 encryption, making it easier to identify potential Kerberoasting activity. Common offensive security tools used by malicious actors to perform Kerberoasting will set the Ticket Options value to ‘0x40800000’ or ‘0x40810000’. These values determine the capabilities of the TGS ticket and how it can be used by malicious actors. As these Ticket Options values are commonly used by offensive security tools to perform Kerberoasting, they can be used to identify Kerberoasting activity. | Would this be spotted and alerted by Defender for ID?
|
- Hello,
Event ID 4738/5136, MDI can alert on abnormal account modifications, including SPN changes, which are often tied to Kerberoasting preparations.
Event ID 4769, MDI can detect unusual Kerberos TGS requests, especially those associated with Kerberoasting attempts using weak encryption like RC4.
By monitoring these Event IDs, Microsoft Defender for Identity should be able to alert you on suspicious activities commonly associated with attacks on Active Directory, specifically Kerberos ticket manipulation and account modification attempts. Ensure your security team regularly reviews MDI alerts and keeps domain controllers and MDI sensors updated for optimal detection capabilities.
Best Regards,
Ali KocAlikocThank you very much for the comeback. I actually have a list of ones that i am trying to find out if they report on or not. Please see below. I would greatly appreciate if you could tell me if there is any gaps from the list the DFI wont alert on.
Event ID Source Description 4738, 5136 Domain Controllers These events are generated when a user account is changed. Malicious actors can modify user objects and add a SPN so they can retrieve their Kerberos service ticket. Once the Kerberos service ticket has been retrieved, the user object is modified again and the SPN removed. 4769 Domain Controllers This event is generated when a TGS ticket is requested. When malicious actors execute Kerberoasting, event 4769 is generated for each TGS ticket that is requested for a user object
Malicious actors commonly try to retrieve TGS tickets with Rivest Cipher 4 (RC4) encryption as these tickets are easier to crack to reveal their cleartext password. If a TGS is requested with RC4 encryption, then the Ticket Encryption type contains the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with RC4 encryption, making it easier to identify potential Kerberoasting activity.
Common offensive security tools used by malicious actors to perform Kerberoasting will set the Ticket Options value to ‘0x40800000’ or ‘0x40810000’. These values determine the capabilities of the TGS ticket and how it can be used by malicious actors. As these Ticket Options values are commonly used by offensive security tools to perform Kerberoasting, they can be used to identify Kerberoasting activity.4625 Domain Controllers This event is generated when an account fails to log on. AS-REP Roasting can be executed prior to authentication, meaning malicious actors only need to be connected to the domain without needing a valid user object. The AS-REP ticket is still retrieved, but event 4625 is generated as no valid credentials were provided when requesting the ticket. If AS-REP Roasting is executed in the context of a valid user object, then the AS-REP ticket is retrieved, valid credentials are provided and event 4625 is not generated. Event 4625 can be correlated with event 4768 to confirm if AS-REP Roasting was executed in the context of a valid domain user object. 4738, 5136 Domain Controllers These events are generated when a user account is changed. Malicious actors can modify user objects and configure them to not require Kerberos pre-authentication as a technique to retrieve their AS-REP ticket. Once the AS-REP ticket service ticket has been retrieved, the user object is modified again to require Kerberos pre-authentication. If these events are generated for changes to the Kerberos pre-authentication, it may indicate AS-REP Roasting occurred. 4768 Domain Controllers This event is generated when a TGT is requested. Malicious actors executing AS-REP Roasting trigger this event as the AS-REP message that is returned from a Domain Controller contains a TGT. If this event is triggered multiple times in a short timeframe, it may indicate AS-REP Roasting has occurred.
Malicious actors will commonly try to retrieve TGT tickets with Rivest Cipher 4 (RC4) encryption as these TGT tickets are easier to crack to reveal their cleartext password. If a TGT is requested with RC4 encryption, then the Ticket Encryption type will contain the value ‘0x17’ for event 4769. As this encryption type is less frequently used, there should be fewer instances of event 4769 with this encryption type, making it easier to identify potential AS-REP Roasting.2889 Domain Controllers This event is generated when a computer object tries to make an unsigned LDAP bind. Malicious actors using the LDAP protocol to conduct password spraying generate this event as each password attempt makes an unsigned LDAP bind. If numerous 2889 events occur in a short timeframe, this may indicate password spraying occurred using the LDAP protocol. 4624 Domain Controllers This event is generated when an object logs on successfully, such as to a user object. If this event occurs near-simultaneously with 4625 events, this can indicate a user object was successfully logged on to as a result of password spraying. 4625 Domain Controllers This event is generated when an object fails to log on via the SMB protocol. Common password spraying tools default to attempting authentication using the SMB protocol. If numerous 4625 events occur in a short timeframe, this may indicate password spraying occurred using the SMB protocol.
Other protocols, such as LDAP, can also be used for password spraying. Malicious actors may choose to use a different protocol to avoid detection.
The ‘badPasswordTime’ user object attribute in Active Directory can be queried to identify the date and time of the last failed authentication attempt. If multiple user objects share the same date and time, or nearly the same date and time, this may indicate password spraying occurred.4648 Source of Password Spraying, such as a domain joined workstation or server This event is generated when a logon is attempted using explicit credentials. If password spraying is executed on a domain joined system, this event is generated for each authentication attempt. If numerous 4648 events exist with different usernames in a short timeframe, this can indicate password spraying was executed on the system.
Note, if malicious actors have established a tunnel from their infrastructure, they may be able to execute password spraying using their own systems, if this is the case, this event will not be generated.4740 Domain Controllers This event is generated when a user object is locked out. Password spraying can cause user objects to be locked out due to the number of failed authentication attempts. If multiple user objects are locked out in a short period of time, this may indicate password spraying occurred.
Many password spraying tools check the domain’s lockout policy and the number of failed authentication attempts for user objects to avoid lockout as a means to avoid detection.4771 Domain Controllers This event is generated when Kerberos pre-authentication fails. In an attempt to evade detection, malicious actors may use the LDAP protocol to execute password spraying. In this case, event 4771 generates the ‘Failure Code’ property of ‘0x18’. This value means the incorrect password is the cause for the event.
The ‘badPasswordTime’ user object attribute in Active Directory can be queried to identify the date and time of the last failed authentication attempt. If multiple user objects share the same date and time, or nearly the same date and time, this may indicate password spraying occurred.4624 Domain Controllers This event is generated when an object successfully logs on. This event can be correlated with event 4741 to identify if the computer object created by malicious actors has authenticated to the domain. 4724 Domain Controllers This event is generated when an attempt is made to reset an object’s password. When malicious actors create a new computer object, they set its password so they can subsequently authenticate as the computer object. If this event is generated at the same time (or near the same time) as event 4741, this may indicate a MachineAccountQuota compromise has occurred. 4741 Domain Controllers This event is generated when a computer object is created in Active Directory. This event can be used to identify a computer object created by malicious actors as part of a MachineAccountQuota compromise. If the computer object is created by user objects that do not normally create computer objects, this may indicate a MachineAccountQuota compromise has occurred. 4103 Computer objects configured for unconstrained delegation This event is generated when PowerShell executes and logs pipeline execution details. Common malicious tools, such as Rubeus, use PowerShell to leverage unconstrained delegation. Analysing this event for unusual PowerShell executions may indicate an unconstrained delegation compromise has occurred. 4104 Computer objects configured for unconstrained delegation This event is generated when PowerShell executes code to capture scripts and commands. Analysing this event for unusual PowerShell executions may indicate an unconstrained delegation compromise has occurred. 4624 Computer objects configured for unconstrained delegation
Domain ControllersThis event is generated when malicious actors need to authenticate to a computer object configured for unconstrained delegation. This event should be analysed for unusual authentication activity, such as user objects that do not commonly log on and unusual logon times.
Separately, this event should be analysed where the Source Network Address matches the internet protocol address of a computer configured for unconstrained delegation. This may indicate the computer object is being used to leverage unconstrained delegation to compromise a Domain Controller.4688 Computer objects configured for unconstrained delegation This event is generated when a new process is created, such as extracting TGTs from the LSASS process (this is commonly done using malicious tools). These events can be analysed to determine if the new process is malicious or not.
Below are common commands executed by malicious actors to dump the LSASS process:
procdump.exe -accepteula -ma lsass.exe lsass.dmp
.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump <PID> C:\lsass.dmp full
sekurlsa::minidump C:\lsass.DMP.4770 Domain Controllers This event is generated when a TGT is renewed. By default, TGTs have a maximum lifetime of seven days; however, malicious actors may choose to renew a TGT to extend its lifetime. This may indicate a TGT has been compromised as a result of malicious actors leveraging unconstrained delegation. 39 Domain Controllers This event is generated when no strong certificate mappings can be found, and the certificate does not have a new Security Identifier (SID) extension that the Key Distribution Centre (KDC) could validate. This event is logged in the ‘Kerberos-Key-Distribution-Center’ log. 40 Domain Controllers This event is generated when a certificate is supplied that was issued to the user before the user existed in Active Directory and no strong mapping is found. 41 Domain Controllers This event is generated when a certificate is supplied where the SID contained in the new extension of the user's certificate does not match the user’s SID, implying that the certificate was issued to another user. This may indicate that malicious actors are attempting to authenticate with a certificate with a SAN that does not match their current account. 1102 Root and subordinate CAs This event is generated when the Security audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if an AD CS CA has been compromised. 4674 Domain Controllers This event is generated when an attempt is made to perform privileged operations on a protected subsystem object after the object is already opened. This may be triggered when malicious actors attempt to change security descriptors of a certificate template. The ‘Object Name’ field lists the certificate template name as the value that can determine which template was changed. 4768 Domain Controllers This event is generated when a TGT is requested. The ‘PreAuthType’ of ‘16’ indicates that a certificate was used in the TGT request. 4886 Root and subordinate CAs This event is generated when AD CS receives a certificate request. This may indicate if malicious actors attempted to elevate privileges by requesting an authentication certificate for a privileged user. 4887 Root and subordinate CAs This event is generated when AD CS approves a certificate request and issues a certificate. This may be used to indicate when malicious actors successfully escalated privileges using AD CS. 4899 Root and subordinate CAs This event is generated when a certificate template is updated. This may occur when malicious actors attempt to modify a certificate template to introduce additional features that may make it vulnerable to privilege escalation. 4900 Root and subordinate CAs This event is generated when security settings on a Certificate Services template are updated. This may occur when the Access Control List on the template has been modified to potentially introduce vulnerable conditions, such as modification of enrolment rights to a certificate template. 70 CAPI2 logs on the root and subordinate CAs This event is generated when a certificate is exported. This event should be filtered to check that the ‘subjectName’ field matches that of a CA certificate. 1102 Root and subordinate CAs This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if an AD CS CA has been compromised. 4103 Root and subordinate CAs This event is generated when PowerShell executes and logs pipeline execution details. Common tools such as Certutil and Mimikatz use PowerShell. Analysing this event for PowerShell execution relating to these tools may indicate a Golden Certificate. 4104 Root and subordinate CAs This event is generated when PowerShell executes code to capture scripts and commands. Common tools such as Certutil and Mimikatz use PowerShell. Analysing this event for PowerShell execution relating to these tools may indicate a Golden Certificate. 4876 Root and subordinate CAs This event is triggered when a backup of the CA database is started. This does not return any logs for exporting the private key, but may be an indicator of other potentially suspicious activity occurring on a CA. 4662 Domain Controllers This event is generated when an operation is performed on an object. When DCSync is executed, this event is generated on the targeted Domain Controller, and the event properties contain the following values:
1131f6ad-9c07-11d1-f79f-00c04fc2dcd2 (DS-Replication-Get-Changes-All)
19195a5b-6da0-11d0-afd3-00c04fd930c9 (Domain-DNS class WRITE_DAC)
89e95b76-444d-4c62-991a-0facbeda640c (DS-Replication-Get-Changes-In-Filtered-Set)
If this event is not generated by a Domain Controller, it may indicate a DCSync has occurred.1102 Domain Controllers This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if a Domain Controller has been compromised. 4103 Domain Controllers This event is generated when PowerShell executes and logs pipeline execution details. Malicious actors commonly leverage PowerShell in their compromises. Analysing this event for PowerShell execution relating to the ntds.dit file may indicate dumping of the ntds.dit file. 4104 Domain Controllers This event is generated when PowerShell executes code to capture scripts and commands. Malicious actors commonly leverage PowerShell in their compromises. Analysing this event for PowerShell execution relating to the ntds.dit file may indicate dumping of the ntds.dit file. 4656 Domain Controllers This event is generated when a handle to an object has been requested, such as a file: for example, when malicious actors attempt to access the ntds.dit file in any way (e.g., read, write or delete). If the ‘Object Name’ value in the event matches the ntds.dit file, this may indicate the ntds.dit file has been compromised. 4663 Domain Controllers This event is generated when the System Access Control List (SACL) is enabled for the ntds.dit file and an attempt is made to access, read, write, or modify an object, such as a file. If the ‘Object Name’ value in the event matches the ntds.dit file, this may indicate the ntds.dit file has been compromised. 4688 Domain Controllers This event is generated when a new process has been created. This event provides context of the commands and parameters that are executed when a new process is created. Malicious actors are likely to create a new process when dumping the ntds.dit file, such as via PowerShell, Volume Shadow Copy Service or Ntdsutil. 8222 Domain Controllers This event is generated when a shadow copy is made. Making a shadow copy of the ntds.dit file is a common way to bypass file lock restrictions. This event can be analysed to determine if the shadow copy was legitimate or not. 4768 Domain Controllers This event is generated when a TGT is requested. This event, and event 4769, can be correlated to identify a potential Golden Ticket. Specifically, Kerberos authentication starts with an object requesting a TGT and subsequently providing this TGT to request a TGS ticket to access a specific service or resource. Both the TGT and TGS ticket requests generate events, 4768 and 4769. If event 4769 exists, but a corresponding event 4768 does not, this is indicative that a TGT has been forged and a Golden Ticket may have occurred. If the TGT has been forged offline, event 4768 will not exist as it was never requested from the KDC on a Domain Controller. 4769 Domain Controllers This event is generated when a TGS ticket is requested. This event can be checked for inconsistent information, such as a weaker cryptographic algorithm than the default for the domain. This event can also be correlated with event 4768 to identify the potential use of a forged TGT. 4624 Target computer This event is generated when an account is logged into a computer. It can be correlated and analysed with event 4627 for signs of a potential Silver Ticket. 4627 Target computer This event is generated alongside event 4624 and provides additional information regarding the group membership of the account that logged in. This event can be analysed for discrepancies, such as mismatching SID and group membership information, associated with the user object that logged on. Note that a Silver Ticket forges the TGS, which can contain false information, such as a different SID to the user object logging on and different group memberships. Malicious actors falsify this information to escalate their privileges on the target computer object. 70 AD FS Servers This event is generated when a certificate’s private key is exported. Extracting the private key is the first step in a Golden SAML. 307 AD FS Servers This event is generated when there is a change to the AD FS configuration. Malicious actors may add a new trusted AD FS server they can control instead of extracting the certificate and other information from an existing AD FS server. 510 AD FS Servers This event provides additional information and can be correlated with event 307 with the same instance ID. Any events generated for changes to AD FS should be investigated to confirm if the changes were authorised or not. 1007 AD FS Servers This event is generated when a certificate is exported. The first step of a Golden SAML is to export the signing certificate from an AD FS server. 1102 AD FS Servers This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if an AD FS server has been compromised. 1200 AD FS Servers This event is generated when AD FS issues a valid token as part of the authentication process with a service provider, such as Microsoft 365 or Azure. A Golden SAML bypass AD FS servers, resulting in the absence of this event (and event 1202). This event can be correlated with authentication events from service providers to identify the absence of AD FS authentication events, which may be a sign that a forged SAML response was used. 1202 AD FS Servers This event is generated when AD FS validates a new credential as part of the authentication process with a service provider, such as Microsoft 365 or Azure. A Golden SAML bypasses AD FS servers, resulting in the absence of this event (and event 1200). This event can be correlated with authentication events from service providers to identify the absence of AD FS authentication events, which may be a sign that a forged SAML response was used. 4662 Domain Controllers This event is generated when the AD FS DKM container in Active Directory is accessed. The ‘Active Directory Service Access’ setting needs to be configured for auditing with ‘Read All Properties’ configured for the AD FS parent and child containers in Active Directory. This event should be monitored for the ‘thumbnailPhoto’ attribute with a Globally Unique Identifier (GUID) value matching ‘{8d3bca50-1d7e-11d0-a081-00aa006c33ed}’. This attributed GUID stores the DKM master key and should only be periodically accessed by the AD FS service account. Each time this event is generated, it should be analysed to determine if the activity was authorised. 611 Microsoft Entra Connect Servers This event is generated when the PHS has failed. This event can be analysed to identify unusual password synchronisation activity that could indicate a compromise against Microsoft Entra Connect. 650 Microsoft Entra Connect Servers This event is generated when password synchronisation starts retrieving updated passwords from Active Directory. This event can be analysed to identify unusual password synchronisation activity that could indicate a compromise against Microsoft Entra Connect. 651 Microsoft Entra Connect Servers This event is generated when password synchronisation finishes retrieving updated passwords from Active Directory. This event can be analysed to identify unusual password synchronisation activity that could indicate a compromise against Microsoft Entra Connect. 656 Microsoft Entra Connect Servers This event is generated when password synchronisation indicates that a password change occurred and there was an attempt to sync this password to Microsoft Entra ID. This event can be analysed to identify unusual password synchronisation activity that could indicate a compromise against Microsoft Entra Connect. 657 Microsoft Entra Connect Servers This event is generated when a password change request is successfully sent to Microsoft Entra ID. This event can be analysed to identify unusual password synchronisation activity that could indicate a compromise against Microsoft Entra Connect. 1102 Microsoft Entra Connect Servers This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if a Microsoft Entra Connect server has been compromised. 4103 Microsoft Entra Connect Servers This event is generated when PowerShell executes and logs pipeline execution details. AADInternals, a popular toolkit used for exploiting Microsoft Entra Connect, uses PowerShell for its execution. This event can indicate the use of PowerShell-based malicious tools, which may assist in identifying if a malicious actor attempted to exploit Microsoft Entra Connect. 4104 Microsoft Entra Connect Servers This event is generated when PowerShell executes code to capture scripts and commands. AADInternals, a popular toolkit used for exploiting Microsoft Entra Connect, uses PowerShell for its execution. This event can indicate the use of PowerShell-based malicious tools, which may assist in identifying if a malicious actor attempted to exploit Microsoft Entra Connect. 1102 Domain Controllers This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if a Domain Controller has been compromised. 4103 Domain Controllers This event is generated when PowerShell executes and logs pipeline execution details. Common malicious tools used to retrieve the TDO password hash, like Mimikatz, use PowerShell. Analysing this event for unusual PowerShell executions on Domain Controllers may indicate the TDO has been compromised. 4104 Domain Controllers This event is generated when PowerShell executes code to capture scripts and commands. Common malicious tools used to retrieve the TDO password hash, such as Mimikatz, use PowerShell. Analysing this event for unusual PowerShell executions on Domain Controllers may indicate the TDO has been compromised. 4768 Domain Controllers in the trusted domain This event is generated when a TGT is requested. After the TDO password hash has been retrieved, it is commonly used to request a TGT in the trusted domain. If the User ID value matches the TDO username, this may indicate the TDO has been compromised and a one-way domain trust bypass has occurred. 1102 Domain Controllers This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if a Domain Controller has been compromised. 4103 Domain Controllers This event is generated when PowerShell executes and logs pipeline execution details. Common malicious tools used to execute a SID History compromise, such as Mimikatz, use PowerShell. Analysing this event for PowerShell execution relating to SID History may indicate dumping of the ntds.dit file. 4104 Domain Controllers This event is generated when PowerShell executes code to capture scripts and commands. Common malicious tools used to execute a SID History compromise, such as Mimikatz, use PowerShell. Analysing this event for PowerShell execution relating to SID History may indicate dumping of the ntds.dit file. 4675 Domain Controllers This event is generated when SIDs are filtered. Domain hopping with Golden Tickets and SID History may use SIDs that get filtered. If this event is generated, it may indicate a SID History compromise has been attempted. 4738 Domain Controllers This event is generated when the ‘sIDHistory’ attribute is modified for a user object. 1102 Domain Controllers This event is generated when the ‘Security’ audit log is cleared. To avoid detection, malicious actors may clear this audit log to remove any evidence of their activities. Analysing this event can assist in identifying if a Domain Controller has been compromised. 3033 Domain Controllers This event is generated when a driver fails to load because it does not meet Microsoft’s signing requirements. This indicates that a code integrity check determined that a process, usually LSASS.exe, attempted to load a driver that did not meet the Microsoft signing level requirements. These drivers fail to load if LSASS protection is enabled and should be audited prior to enabling protection. Furthermore, an unknown driver or plugin may indicate attempted tampering with the LSASS process. 3063 Domain Controllers This event is generated when a driver failed to load because it did not meet the security requirements for shared sections. This indicates a code integrity check determined that a process, usually lsass.exe, attempted to load a driver that did not meet the security requirements for shared sections. These drivers will fail to load if LSASS protection is enabled, and should be audited, prior to enabling protection. An unknown driver or plugin may also indicate attempted tampering with the LSASS process. 4103 Domain Controllers This event is generated when PowerShell executes and logs pipeline execution details. Common malicious tools used to execute a Skeleton Key, such as Mimikatz, use PowerShell. Analysing this event for PowerShell execution relating to a Skeleton Key may indicate a compromise. 4104 Domain Controllers This event is generated when code is executed by PowerShell, capturing scripts and the commands run. Abnormal script execution should be investigated, noting that PowerShell-based tools such as Invoke-Mimikatz can be utilised to deploy a Skeleton Key without having to copy any files onto the Domain Controller. 4663 Domain Controllers This event is generated when an attempt was made to access an object. If ‘Kernel Object Auditing’ is enabled, this will include logging when a process attempts to access the memory of the LSASS process.
This is the most direct indicator of tampering with the LSASS process. Any event with the object as ‘lsass.exe’ from an unexpected process (including remote administrative tools such as PowerShell Remoting [wsmprovhost.exe]), could indicate the deployment of a Skeleton Key.
Certain antivirus or endpoint solutions may access the LSASS process; therefore it is important to determine what security solutions are present and expected on the host.4673 Domain Controllers This event is generated when a privileged service is called. This event triggers when the ‘SeDebugPrivilege’ privilege is enabled, which is required to successfully execute a Skeleton Key. This event also triggers when the ‘SeTCBPrivilege’ privilege is used. The ‘SeTCBPrivilege’ privilege allows for the impersonation of the system account and is often requested by Mimikatz. 4697 Domain Controllers This event is generated when a service has been installed on the system. If this is an unknown kernel mode driver it may indicate a malicious or vulnerable driver being leveraged for exploitation, such as to bypass LSA protection. A service type field of ‘0x1’ or ‘0x2’ can indicate kernel driver services. Services are also installed with the use of some remoting tools, such as PSExec. 4703 Domain Controllers This event is generated when a user right is adjusted. The addition of the ‘SeDebugPrivilege’ privilege, or other sensitive privileges such as ‘SeTCBPrivilege’, for an account may indicate attempts to deploy a Skeleton Key.
