False alert generated 5 days in the future

Highlighted
Occasional Contributor

Hi.

I'm using 1.8.6645.28499.

I had a "Kerberos Golden Ticket activity" alert generated last week. It said a Kerberos ticket had been in use for 5 days,

start time: 17/02/2018  02:05:47.461

end time: 22/02/2018  03:13:13.613.

 

You will notice that today is 20/02/2018: 20th Feb. So, it is saying that the end time of the activity that generated the alert is 2 days in the future from today.

 

If I download the detail and look on the "Network Activities" tab, there are only 2 records, and they have timestamps of:

17/02/2018  02:05:53.606
17/02/2018  02:12:31.437

 

How was this alert generated?

7 Replies
Highlighted

Any chance the involved DC or Gateway  experienced a time sync issue? one of them is a VM that was in saved state?

Highlighted

There is a Light Gateway installed on the DC. The DC is a virtual machine.

 

If I check the DC event logs, System, and sort by date descending, there are no logs timestamped in the future. The last reboot according to this log was 24 Jan, and I have continuous logs since that date which shows the machine has always been up and running. The current time in the server is correct. If I filter on source: Kernel-General, Event ID 1 ("the system time has changed"), the last time the time was changed was 24 Jan, and that was a microsecond correction. If I look at the events 17 Feb 02:00 - 04:00, I have some for 02:05:25 but that's just normal Windows activity: Group Policy applying, "The Network Connectivity Assistant service entered the stopped state.", "The Windows Update service entered the running state.", "The Portable Device Enumerator Service service entered the running state.", "The Portable Device Enumerator Service service entered the stopped state."

 

If I check the Gateway-Errors log on the DC, the only entry on 17 Feb is at 18:05, and it's unrelated.

If I check the Gateway-Resolution log, I can find the alerting computer in there, and the records around the timestamp for it are 17 Feb 02:04:39 and 02:10:07, both "Resolved using RPC NTLM". This repeats every few minutes.

 

I can't find any record that would cause this alert with this timestamp, and the DC has always had the correct time, and it has been up and running continuously with no time change since 24 Jan.

 

Where does the "End Date" value come from on the detail download? It does not match the timestamp of the latest event on the Network Activities tab.

Highlighted

In Network Activities Tab, go to the json column, and inside the json dump look for a field called "DomainControllerStartTime" - what does it say?

Highlighted

For the two records in this tab I have:

 

"StartTime" : "2018/02/17T02:05:53.6065958Z",
"EndTime" : "2018/02/17T02:05:53.61131Z",

"DomainControllerStartTime" : "2018/02/17T02:05:47.4612959Z"


"StartTime" : "2018/02/17T02:12:31.4379136Z",
"EndTime" : "2018/02/17T02:12:31.4390722Z",

"DomainControllerStartTime" : "2018/02/22T03:13:13.6135161Z"

 

(I had to change "-" to "/" in the date format because the forum wouldn't let me post)

Highlighted

OK,

So the last line is the cause for the future date.

For some reason, the GW thought at some point it had a 5 day diff from DC services timesatmp, and it tried to adjust. it this case it was obviously wrong.

We need to research why it could happen.

 

@Tali Ash Can you help making sure we track this internally?

 

Highlighted

For info, here's the line from the Microsoft.Tri.Center log, desensitized:

 

2018/02/17  02:16:19.6492  4384  257 <some long guid> Info [GoldenTicketDetector] Suspicious usage of <machine name>'s Kerberos ticket, indicating a potential Golden Ticket attack, was detected.

Highlighted

Yes, we will investigate it.