-
Demistifying Sentinel SigninLogs
The SigninLogs table in Sentinel provides valuable data that is being used by multiple detection and hunting queries. However, misinterpretation of this data leads to these queries triggering excessive False Positive results. This becomes a large problem in larger organizations.
-
Detecting ADCS attacks
You can detect an ADCS attack by monitoring for Kerberos EventID 4768 with ‘PreAuthType’ == ’16’ (TGT based on user certificate) and ‘TicketOptions’ startswith ‘0x4080’ (hardcoded value in multiple attacker tools). PreAuthType 16 can (probably) be used as a detection method on its own, but it still needs to be tested if this gives false…
Detection methods, KQL & more