|
|
Forum Newbie
      
Group: Forum Members
Last Login: 4/25/2018 9:44:19 AM
Posts: 2,
Visits: 0
|
|
We recieved this alarm in our SIEM today and I am trying to determine the if it is "noise" or not.
Log message:
46490InformationOther Logon/Logoff EventsInfoAudit Failure79125070SecurityservernameA replay attack was detected.\r\rSubject:\r\tSecurity ID:\t\tNT AUTHORITY\SYSTEM\r\tAccount Name:\t\tSERVERNAME$\r\tAccount Domain:\t\tDOMAIN\r\tLogon ID:\t\t0x3E7\r\rCredentials Which Were Replayed:\r\tAccount Name:\t\tHealthMailbox5a21d32\r\tAccount Domain:\t\tDOMAIN\r\rProcess Information:\r\tProcess ID:\t\t0x673b81d620\r\tProcess Name:\t\tC:\Windows\System32\inetsrv\w3wp.exe\r\rNetwork Information:\r\tWorkstation Name:\t-\r\rDetailed Authentication Information:\r\tRequest Type:\t\tKRB_AP_REQ\r\tLogon Process:\t\tKerberos\r\tAuthentication Package:\tKerberos\r\tTransited Services:\t-\r\rThis event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.
|
|
|
|
Forum Newbie
      
Group: Forum Members
Last Login: 4/25/2018 9:44:19 AM
Posts: 2,
Visits: 0
|
|
Kerberos KRB_AP_REQ C:\Windows\System32\inetsrv\w3wp.exe
Attack
Replay Activity
56
4649
EVID 4649 : Replay Attack Detected
replay attack
healthmailboxXXXXXX
|
|
|
|
Supreme Being
      
Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237,
Visits: 0
|
|
I would check the routing and timing on the hosts involved. I have not seen this particular event associated with known attacks. This event will be triggered when the same exact request is seen twice. It could be an anomaly based on network configurations if it is not consistently generated.
|
|
|
|