A replay attack was detected - Exchange... Expand / Collapse
Author
Message
Posted 9/21/2018 9:42:31 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/25/2018 9:44:19 AM
Posts: 2, Visits: 0
We recieved this alarm in our SIEM today and I am trying to determine the if it is "noise" or not.

Log message:
46490InformationOther Logon/Logoff EventsInfoAudit Failure79125070SecurityservernameA replay attack was detected.\r\rSubject:\r\tSecurity ID:\t\tNT AUTHORITY\SYSTEM\r\tAccount Name:\t\tSERVERNAME$\r\tAccount Domain:\t\tDOMAIN\r\tLogon ID:\t\t0x3E7\r\rCredentials Which Were Replayed:\r\tAccount Name:\t\tHealthMailbox5a21d32\r\tAccount Domain:\t\tDOMAIN\r\rProcess Information:\r\tProcess ID:\t\t0x673b81d620\r\tProcess Name:\t\tC:\Windows\System32\inetsrv\w3wp.exe\r\rNetwork Information:\r\tWorkstation Name:\t-\r\rDetailed Authentication Information:\r\tRequest Type:\t\tKRB_AP_REQ\r\tLogon Process:\t\tKerberos\r\tAuthentication Package:\tKerberos\r\tTransited Services:\t-\r\rThis event indicates that a Kerberos replay attack was detected- a request was received twice with identical information. This condition could be caused by network misconfiguration.
Post #8505
Posted 9/21/2018 9:49:49 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 4/25/2018 9:44:19 AM
Posts: 2, Visits: 0
Kerberos KRB_AP_REQ C:\Windows\System32\inetsrv\w3wp.exe
Attack
Replay Activity
56
4649
EVID 4649 : Replay Attack Detected
replay attack
healthmailboxXXXXXX
Post #8506
Posted 9/29/2018 7:35:02 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 212, Visits: 0
I would check the routing and timing on the hosts involved. I have not seen this particular event associated with known attacks. This event will be triggered when the same exact request is seen twice. It could be an anomaly based on network configurations if it is not consistently generated.
Post #8510
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:48pm