Description
This bundle finds weak encryption algorithms in Kerberos connections, tracks usage of Kerberos services, and detects forged ticket-granting tickets (TGTs) that might allow attackers to escalate privileges or access Kerberos services.
Note: The bundle might report false positives for forged tickets while the bundle initially caches tickets. By default, the trigger caches tickets for 24 hours, but this value can be changed to match your Kerberos ticket renewal time policy by modifying the renewal_time
variable in the Kerberos Threat Detection trigger.
Bundle Contents
- (1) Trigger
- Kerberos Threat Detection
- (1) Dashboard
- Kerberos Threat Detection
- (1) Dynamic Group
- Kerberos Clients
Requirements
ExtraHop version 6.2.4 or laterInstallation Instructions
Installation Instructions 1. Download the bundle on this page 2. Log into the ExtraHop Web UI and complete the following procedures: * Upload and apply a bundle - When applying the bundle, check theApply included assignments
checkbox.
* In the Kerberos Attack Detection trigger, set the renewal_time
variable to your Kerberos ticket renewal time setting before enabling the trigger.