Kerberos Threat Detection

Description

This bundle finds weak encryption algorithms in Kerberos connections, tracks usage of Kerberos services, and detects forged ticket-granting tickets (TGTs) that might allow attackers to escalate privileges or access Kerberos services.

Note: The bundle might report false positives for forged tickets while the bundle initially caches tickets. By default, the trigger caches tickets for 24 hours, but this value can be changed to match your Kerberos ticket renewal time policy by modifying the renewal_time variable in the Kerberos Threat Detection trigger.

Bundle Contents

• (1) Trigger
  • Kerberos Threat Detection
• (1) Dashboard
  • Kerberos Threat Detection
• (1) Dynamic Group
  • Kerberos Clients

Requirements

ExtraHop version 6.2.4 or later

Installation Instructions

Installation Instructions

1. Download the bundle on this page
2. Log into the ExtraHop Web UI and complete the following procedures:
   • Upload and apply a bundle - When applying the bundle, check the Apply included assignments checkbox.
   • In the Kerberos Attack Detection trigger, set the renewal_time variable to your Kerberos ticket renewal time setting before enabling the trigger.