Feb 20 2018
- last edited on
Nov 30 2021
I'm using 1.8.6645.28499.
I had a "Kerberos Golden Ticket activity" alert generated last week. It said a Kerberos ticket had been in use for 5 days,
start time: 17/02/2018 02:05:47.461
end time: 22/02/2018 03:13:13.613.
You will notice that today is 20/02/2018: 20th Feb. So, it is saying that the end time of the activity that generated the alert is 2 days in the future from today.
If I download the detail and look on the "Network Activities" tab, there are only 2 records, and they have timestamps of:
How was this alert generated?
Feb 20 2018 12:54 AM
Any chance the involved DC or Gateway experienced a time sync issue? one of them is a VM that was in saved state?
Feb 20 2018 01:40 AM
There is a Light Gateway installed on the DC. The DC is a virtual machine.
If I check the DC event logs, System, and sort by date descending, there are no logs timestamped in the future. The last reboot according to this log was 24 Jan, and I have continuous logs since that date which shows the machine has always been up and running. The current time in the server is correct. If I filter on source: Kernel-General, Event ID 1 ("the system time has changed"), the last time the time was changed was 24 Jan, and that was a microsecond correction. If I look at the events 17 Feb 02:00 - 04:00, I have some for 02:05:25 but that's just normal Windows activity: Group Policy applying, "The Network Connectivity Assistant service entered the stopped state.", "The Windows Update service entered the running state.", "The Portable Device Enumerator Service service entered the running state.", "The Portable Device Enumerator Service service entered the stopped state."
If I check the Gateway-Errors log on the DC, the only entry on 17 Feb is at 18:05, and it's unrelated.
If I check the Gateway-Resolution log, I can find the alerting computer in there, and the records around the timestamp for it are 17 Feb 02:04:39 and 02:10:07, both "Resolved using RPC NTLM". This repeats every few minutes.
I can't find any record that would cause this alert with this timestamp, and the DC has always had the correct time, and it has been up and running continuously with no time change since 24 Jan.
Where does the "End Date" value come from on the detail download? It does not match the timestamp of the latest event on the Network Activities tab.
Feb 20 2018 01:58 AM
In Network Activities Tab, go to the json column, and inside the json dump look for a field called "DomainControllerStartTime" - what does it say?
Feb 20 2018 02:21 AM
For the two records in this tab I have:
"StartTime" : "2018/02/17T02:05:53.6065958Z",
"EndTime" : "2018/02/17T02:05:53.61131Z",
"DomainControllerStartTime" : "2018/02/17T02:05:47.4612959Z"
"StartTime" : "2018/02/17T02:12:31.4379136Z",
"EndTime" : "2018/02/17T02:12:31.4390722Z",
"DomainControllerStartTime" : "2018/02/22T03:13:13.6135161Z"
(I had to change "-" to "/" in the date format because the forum wouldn't let me post)
Feb 20 2018 02:35 AM
So the last line is the cause for the future date.
For some reason, the GW thought at some point it had a 5 day diff from DC services timesatmp, and it tried to adjust. it this case it was obviously wrong.
We need to research why it could happen.
@Tali Ash Can you help making sure we track this internally?
Feb 20 2018 02:44 AM
For info, here's the line from the Microsoft.Tri.Center log, desensitized:
2018/02/17 02:16:19.6492 4384 257 <some long guid> Info [GoldenTicketDetector] Suspicious usage of <machine name>'s Kerberos ticket, indicating a potential Golden Ticket attack, was detected.