Mapping Active Directory Authentication and Account Management Events to MITRE ATT&CK TTPs
Utilizing compromised or fraudulent credentials are a disproportionate hot spot in threat reports. So, it makes sense to look for that in your threat hunting. But where do you start? The answer is MITRE ATT&CK. In this real training for free session we will identify the tactics, techniques and procedures (TTPs) in attack where compromised and fraudulent credentials feature.
In this highly technical event, we roll up our sleeves and get our hands dirty with account management events like 4720 and authentication events like:
– 4768 – A Kerberos authentication ticket (TGT) was requested
– 4769 – A Kerberos service ticket was requested
– 4771 – Kerberos pre-authentication failed
In this session, we close the loop between MITRE ATT&CK TTPs and deep analysis of AD security events to recognize malicious activity that is difficult to distinguish from innocent day-to-day operations. Additionally, Andy Skrei of Exabeam show you an array of Exabeam’s Threat Hunter queries that automate the analytics we’ve shown you to find credential related attacks against AD using these events from the Security Log.