{"id":227378,"date":"2023-12-13T13:00:00","date_gmt":"2023-12-13T12:00:00","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=227378"},"modified":"2026-02-23T16:48:29","modified_gmt":"2026-02-23T16:48:29","slug":"kerberos_opsec_introduction","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_introduction\/","title":{"rendered":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team \u2013 Introduction"},"content":{"rendered":"<p>We are starting a series of articles in which we share a summary of the OPSEC practices to be taken into account on the red team side, and the detection strategies that can be put in place by SOC teams to detect certain advanced techniques based on the Kerberos protocol.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1\/\">Part 1: Kerberoasting<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_2_as_rep-roasting\/\">Part 2: AS-REP Roasting<\/a><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p> <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>Red teaming<\/strong> exercises simulate adversaries in order to:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>identify compromised paths enabling access to sensitive assets;<\/li>\n\n\n\n<li>evaluate &amp; improve existing detection and response systems and procedures.<\/li>\n<\/ul>\n\n\n\n<p>  <\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>In order to challenge the Blue Team, the Red Team must be discreet in achieving its objectives (eg: getting customer data, AWS tenant, Active Directory domain, etc.). Red Team operators must therefore master the tools and techniques they use, and be able to modify them to leave as few traces as possible.<br>The term OPSEC (Operations Security) is used to describe the difficulty with which the red team&#039;s actions can be detected by the blue team.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-intrinsec-s-redteam\">Intrinsec&#039;s RedTeam<\/h2>\n\n\n\n<p>Intrinsec&#039;s RedTeam is dedicated to this activity, and uses its skills to perform <a href=\"https:\/\/www.intrinsec.com\/en\/red-team\/\">Red Teaming<\/a> exercises of varying lengths, from a few weeks to a few months, or in a more original setting through its \u00abTrophy Hunter\u00bb model, to extend the exercise over a year and use new exploits and opportunities as they arise. The business leverages the work of the <a href=\"https:\/\/www.intrinsec.com\/en\/cyber-threat-intelligence\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">CTI<\/a> team, shares common tools and invests significant R&amp;D time around its methods, tools and technical means to achieve its goals. The team also frequently collaborates during <a href=\"https:\/\/www.intrinsec.com\/en\/purple-team\/\">Purple Teaming<\/a> exercises with detection &amp; response teams to improve the efficiency of detection resources or operational business practices.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-what-is-kerberos\">What is Kerberos?<\/h2>\n\n\n\n<p>Kerberos is one of the authentication systems available in Active Directory environments. This protocol enables users and machines to authenticate themselves on the network and access services in an authenticated way. Kerberos is based on the use of Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS).<\/p>\n\n\n\n<p>In this article, we won&#039;t go into how the Kerberos protocol works. An explanation can be found on the following blogpost: <a href=\"https:\/\/en.hackndo.com\/kerberos\/\">https:\/\/beta.hackndo.com\/kerberos\/<\/a>.<\/p>\n\n\n\n<p>During our RedTeams, we come across situations where the use of attack techniques based on the Kerberos protocol are detected when carried out with known tools (eg impacket suite, Rubeus, etc.). We have adapted our techniques and tools to get under the Blue Team&#039;s radar, and then extended our recommendations to improve our customers&#039; detection strategies.<\/p>\n\n\n\n<p>Disclaimer:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>We will only be discussing the traces and effects of our actions in relation to Kerberos protocol techniques. Memory escape, signature escape, etc. will not be considered;<\/li>\n\n\n\n<li>This article is not aiming to explain attack techniques, nor recommendations for correcting configuration faults. Here, we concentrate on OPSEC considerations and detection strategies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-kerberos-attacks\">Kerberos attacks<\/h3>\n\n\n\n<p>Kerberos is subject to a number of interesting actions from an attacker&#039;s point of view. A number of attacks and techniques can be carried out to exploit various scenarios such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kerberoasting and ASREPRoasting<\/li>\n\n\n\n<li>Golden Ticket\/Silver\/Diamond Tickets<\/li>\n\n\n\n<li>Delegation exploitation (constrained and unconstrained)<\/li>\n\n\n\n<li>Lateral movement<\/li>\n\n\n\n<li>Etc.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-supported-encryption-types\">Supported encryption types<\/h3>\n\n\n\n<p>To date, Active Directory offers five possible encryption suites for encrypting ticket secrets (may be subject to changes in the future):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>DES_CBC_CRC<\/li>\n\n\n\n<li>DES_CBC_MD5<\/li>\n\n\n\n<li>RC4-HMAC-MD5 (enctype 23)<\/li>\n\n\n\n<li>AES128-CTS-HMAC-SHA1-96 (enctype 17) \u2013 with 4096 PBKDF2 HMAC-SHA1 rounds<\/li>\n\n\n\n<li>AES256-CTS-HMAC-SHA1-96 (enctype 18) \u2013 with 4096 PBKDF2 HMAC-SHA1 rounds<\/li>\n<\/ul>\n\n\n\n<p>Since <a href=\"https:\/\/learn.microsoft.com\/en-us\/windows\/security\/threat-protection\/security-policy-settings\/network-security-configure-encryption-types-allowed-for-kerberos\" target=\"_blank\" rel=\"nofollow noreferrer noopener\">Windows 2008 R2<\/a>, DES is disabled on all created accounts (but can be enabled for backward compatibility reasons). <a href=\"https:\/\/posts.specterops.io\/kerberoasting-revisited-d434351bd4d1\">By default<\/a>, the RC4_HMAC_MD5 algorithm is used for domain user accounts secret encryption (AES128 and AES256 can be enabled but are not enabled by default, for backward compatibility reasons), with the exception of the krbtgt account secret, used to encrypt TGT, which is encrypted by default in AES if the domain&#039;s functional level is 2008 or higher (and its password has been changed after upgrading to 2008 or higher). Note that for domain computer accounts, AES is the default.<\/p>\n\n\n\n<p>To demonstrate this, we will add an SPN to the GALAXY\\Qi-Ra account:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"751\" height=\"225\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png\" alt=\"\" class=\"wp-image-231464\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png 751w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-300x90.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-650x195.png 650w\" sizes=\"(max-width: 751px) 100vw, 751px\" \/><\/figure>\n\n\n\n<p>If we query the msDS-SupportedEncryptionTypes attribute, it will not appear:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"676\" height=\"206\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-1.png\" alt=\"\" class=\"wp-image-231465\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-1.png 676w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-1-300x91.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-1-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-1-650x198.png 650w\" sizes=\"(max-width: 676px) 100vw, 676px\" \/><\/figure>\n\n\n\n<p>However, if we check in the advanced account options via the admin console, we can see that AES and DES are not enabled:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"410\" height=\"559\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-2.png\" alt=\"\" class=\"wp-image-231466\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-2.png 410w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-2-220x300.png 220w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-2-9x12.png 9w\" sizes=\"(max-width: 410px) 100vw, 410px\" \/><\/figure>\n\n\n\n<p>This means that RC4 is used by default. In order to use the most secure algorithms (AES128 and AES256), it is necessary to check the corresponding boxes, which can be seen in the advanced options of the GALAXY\\R5-D4 account:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"412\" height=\"556\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-3.png\" alt=\"\" class=\"wp-image-231467\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-3.png 412w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-3-222x300.png 222w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-3-9x12.png 9w\" sizes=\"(max-width: 412px) 100vw, 412px\" \/><\/figure>\n\n\n\n<p>Thus, if we require the msDS-SupportedEncryptionTypes attribute:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"698\" height=\"223\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-4.png\" alt=\"\" class=\"wp-image-231468\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-4.png 698w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-4-300x96.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-4-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-4-650x208.png 650w\" sizes=\"(max-width: 698px) 100vw, 698px\" \/><\/figure>\n\n\n\n<p>We can see that it is indeed present and that its value is 24, which corresponds to the support of:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AES128<\/li>\n\n\n\n<li>AES256<\/li>\n<\/ul>\n\n\n\n<p>If the account <strong>only<\/strong> supported AES256, the value would be <strong>16<\/strong>.<\/p>\n\n\n\n<p>So when we request a ticket for the service associated with this account, we&#039;ll be able to choose the algorithm to be used, knowing that by default the proposed highest will be used, in this case AES256.<\/p>\n\n\n\n<p>For more details, see the <a href=\"https:\/\/techcommunity.microsoft.com\/t5\/core-infrastructure-and-security\/decrypting-the-selection-of-supported-kerberos-encryption-types\/ba-p\/1628797\">Microsoft official documentation<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-ticket-options\">Ticket options<\/h3>\n\n\n\n<p>Ticket requests have a number of possible options depending on the needs a user or application might have. These options are represented on 32 bits, each bit corresponding to the flag of a different option. The options are as follows:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Bit<\/td><td>Flag<\/td><\/tr><tr><td>0<\/td><td>Reserved<\/td><\/tr><tr><td>1<\/td><td>Forwardable<\/td><\/tr><tr><td>2<\/td><td>Forwarded<\/td><\/tr><tr><td>3<\/td><td>Proxiable<\/td><\/tr><tr><td>4<\/td><td>Proxy<\/td><\/tr><tr><td>5<\/td><td>Allow Postdate<\/td><\/tr><tr><td>6<\/td><td>Posted<\/td><\/tr><tr><td>7<\/td><td>Unused<\/td><\/tr><tr><td>8<\/td><td>Renewable<\/td><\/tr><tr><td>9<\/td><td>Unused<\/td><\/tr><tr><td>10<\/td><td>Unused<\/td><\/tr><tr><td>11<\/td><td>Optional Hardware Authentication<\/td><\/tr><tr><td>12<\/td><td>Unused<\/td><\/tr><tr><td>13<\/td><td>Unused<\/td><\/tr><tr><td>14<\/td><td>Canonicalize<\/td><\/tr><tr><td>15<\/td><td>Undefined<\/td><\/tr><tr><td>16<\/td><td>Undefined<\/td><\/tr><tr><td>17<\/td><td>Undefined<\/td><\/tr><tr><td>18<\/td><td>Undefined<\/td><\/tr><tr><td>19<\/td><td>Undefined<\/td><\/tr><tr><td>20<\/td><td>Undefined<\/td><\/tr><tr><td>21<\/td><td>Undefined<\/td><\/tr><tr><td>22<\/td><td>Undefined<\/td><\/tr><tr><td>23<\/td><td>Undefined<\/td><\/tr><tr><td>24<\/td><td>Undefined<\/td><\/tr><tr><td>25<\/td><td>Undefined<\/td><\/tr><tr><td>26<\/td><td>Disabled Transited Check<\/td><\/tr><tr><td>27<\/td><td>Renewable OK<\/td><\/tr><tr><td>28<\/td><td>Encrypt Ticket in Server Key<\/td><\/tr><tr><td>29<\/td><td>Undefined<\/td><\/tr><tr><td>30<\/td><td>Renew<\/td><\/tr><tr><td>31<\/td><td>Validate<\/td><\/tr><\/tbody><\/table><figcaption class=\"wp-element-caption\">Kerberos Ticket options<\/figcaption><\/figure>\n\n\n\n<p>It&#039;s important to know that ticket options are encoded in big endian, so the first bit of the string will be the first bit on the left.<\/p>\n\n\n\n<p>In an ordinary ticket request, the following option string can be seen in the ticket request:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"510\" height=\"416\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-5.png\" alt=\"\" class=\"wp-image-231469\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-5.png 510w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-5-300x245.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-5-15x12.png 15w\" sizes=\"(max-width: 510px) 100vw, 510px\" \/><\/figure>\n\n\n\n<p>If we transform <strong>0x40810000 <\/strong>into binary, it will give, in big endian:<\/p>\n\n\n\n<blockquote class=\"wp-block-quote is-layout-flow wp-block-quote-is-layout-flow\">\n<p>01000000 10000001 00000000 00000000<\/p>\n<\/blockquote>\n\n\n\n<p>Then read this from left to right to obtain the following options (starting from 0):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>1: Forwardable<\/li>\n\n\n\n<li>8: Renewable<\/li>\n\n\n\n<li>15: Canonicalize<\/li>\n<\/ul>\n\n\n\n<p>For more details, check the <a href=\"https:\/\/www.rfc-editor.org\/rfc\/rfc4120#section-5.4.1\">corresponding RFC<\/a>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-demo-context\">Demo context<\/h3>\n\n\n\n<p>Unless explicitly stated otherwise, the GALAXY.LAN domain user account we&#039;ll be using for the demos is C3-PO. This user is not a local administrator on the victim machine (GAL-NABOO). The actions are performed from a Cobalt Strike agent running on this machine:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"366\" height=\"225\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-6.png\" alt=\"\" class=\"wp-image-231470\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-6.png 366w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-6-300x184.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-6-18x12.png 18w\" sizes=\"(max-width: 366px) 100vw, 366px\" \/><\/figure>\n\n\n\n<p>The Rubeus tool will be launched with the <strong>execute-assembly<\/strong> function (principle of <a href=\"https:\/\/www.mandiant.com\/resources\/blog\/bring-your-own-land-novel-red-teaming-technique\">Fork &amp; Run<\/a>) in the <strong>WerFault.exe<\/strong> sacrificial process:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"630\" height=\"51\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-7.png\" alt=\"\" class=\"wp-image-231471\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-7.png 630w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-7-300x24.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-7-18x1.png 18w\" sizes=\"(max-width: 630px) 100vw, 630px\" \/><\/figure>\n\n\n\n<p>We cleared the cache so that no tickets were initially present for the C3-PO user:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"829\" height=\"491\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-8.png\" alt=\"\" class=\"wp-image-231472\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-8.png 829w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-8-300x178.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-8-768x455.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-8-18x12.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-8-650x385.png 650w\" sizes=\"(max-width: 829px) 100vw, 829px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-log-configurations\">Log configurations<\/h2>\n\n\n\n<figure class=\"wp-block-pullquote\"><blockquote><p><strong><mark style=\"background-color:#ffffff\" class=\"has-inline-color has-vivid-red-color\">WARNING<\/mark><\/strong> : The configurations mentioned here are only applicable to a lab environment as they can produce a very big amount of logs and thus can be difficult to analyze a in real scenario. They should be heavily modified to be usable in a production environment.<\/p><\/blockquote><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-domain-controller\">Domain controller<\/h3>\n\n\n\n<p>In order to enable the correct Active Directory logs, some configuration is necessary as they are not enabled by default.<\/p>\n\n\n\n<p>First of all, you need to activate the advanced auditing policy. To do this, in an administrator command prompt, type gpmc.msc, which will open the following window:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"755\" height=\"214\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-9.png\" alt=\"\" class=\"wp-image-231473\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-9.png 755w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-9-300x85.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-9-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-9-650x184.png 650w\" sizes=\"(max-width: 755px) 100vw, 755px\" \/><\/figure>\n\n\n\n<p>Then go to Group Policy Management -&gt; Forest: -&gt; Domains -&gt; -&gt; Domain Controllers and right-click on Default Domain Controllers Policy, then click on Edit:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"752\" height=\"454\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-10.png\" alt=\"\" class=\"wp-image-231474\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-10.png 752w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-10-300x181.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-10-18x12.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-10-650x392.png 650w\" sizes=\"(max-width: 752px) 100vw, 752px\" \/><\/figure>\n\n\n\n<p>It will open the following window:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"730\" height=\"228\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-11.png\" alt=\"\" class=\"wp-image-231475\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-11.png 730w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-11-300x94.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-11-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-11-650x203.png 650w\" sizes=\"(max-width: 730px) 100vw, 730px\" \/><\/figure>\n\n\n\n<p>Then go to Computer Configuration -&gt; Policies -&gt; Windows Settings -&gt; Security Settings -&gt; Advanced Audit Policy Configuration -&gt; Audit Policies:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"786\" height=\"720\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-12.png\" alt=\"\" class=\"wp-image-231476\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-12.png 786w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-12-300x275.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-12-768x704.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-12-13x12.png 13w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-12-650x595.png 650w\" sizes=\"(max-width: 786px) 100vw, 786px\" \/><\/figure>\n\n\n\n<p>In Account Logon, set all options to Success and Failure:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"823\" height=\"211\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-13.png\" alt=\"\" class=\"wp-image-231477\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-13.png 823w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-13-300x77.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-13-768x197.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-13-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-13-650x167.png 650w\" sizes=\"(max-width: 823px) 100vw, 823px\" \/><\/figure>\n\n\n\n<p>Same for DS Access:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"821\" height=\"235\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-14.png\" alt=\"\" class=\"wp-image-231478\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-14.png 821w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-14-300x86.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-14-768x220.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-14-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-14-650x186.png 650w\" sizes=\"(max-width: 821px) 100vw, 821px\" \/><\/figure>\n\n\n\n<p>The next step is to modify the registry. In HKLM\\SYSTEM\\CurrentControlSet\\ServicesNTDS\\Diagnostics\\, change the key 15 Field Engineering to 5 (verbose):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"759\" height=\"486\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-15.png\" alt=\"\" class=\"wp-image-231479\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-15.png 759w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-15-300x192.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-15-18x12.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-15-650x416.png 650w\" sizes=\"(max-width: 759px) 100vw, 759px\" \/><\/figure>\n\n\n\n<p>Then in HKLM\\SYSTEM\\CurrentControlSet\\ServicesNT\\Parameters\\, add the following DWORDs:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\u00abExpensive Search Results Threshold\u00bb to 1<\/li>\n\n\n\n<li>\u00abInefficient Search Results Threshold\u00bb to 1<\/li>\n\n\n\n<li>\u00abSearch Time Threshold (msecs)\u00bb to 1<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"753\" height=\"396\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-16.png\" alt=\"\" class=\"wp-image-231480\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-16.png 753w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-16-300x158.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-16-18x9.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image-16-650x342.png 650w\" sizes=\"(max-width: 753px) 100vw, 753px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"h-sysmon\">Sysmon<\/h3>\n\n\n\n<details class=\"wp-block-details is-layout-flow wp-block-details-is-layout-flow\"><summary>Here is the Sysmon configuration used in our lab:<\/summary>\n<pre class=\"wp-block-code\"><code><!--                        NOTICE : This is a custom generated output of Sysmon-modular with higher verbosity                   --><!--                    The log volume expected from this file is significantly larger than a more balanced log                  --><!--                                the blind spots for this config are to be significantly less                                 --><!--                        for more information go to https:\/\/github.com\/olafhartong\/sysmon-modular\/wiki                        --><!--                                                                                                                             --><!--  \/\/**                  ***\/\/                                                                                                --><!-- \/\/\/#(**               **%(\/\/\/                                                                                               --><!-- ((&amp;&amp;&amp;**               **&amp;&amp;&amp;((                                                                                               --><!--  (&amp;&amp;&amp;**   ,(((((((.   **&amp;&amp;&amp;(                                                                                                --><!--  ((&amp;&amp;**(((((\/\/(((((((\/**&amp;&amp;((      _____                                                            __      __               --><!--   (&amp;&amp;\/\/\/((\/\/\/\/(((((((\/\/\/&amp;&amp;(      \/ ___\/__  ___________ ___  ____  ____        ____ ___  ____  ____\/ \/_  __\/ \/___ ______     --><!--    &amp;\/\/\/\/(\/\/\/\/\/(((((\/(\/\/\/\/&amp;       \\__ \\\/ \/ \/ \/ ___\/ __ `__ \\\/ __ \\\/ __ \\______\/ __ `__ \\\/ __ \\\/ __  \/ \/ \/ \/ \/ __ `\/ ___\/     --><!--    ((\/\/  \/\/\/\/\/(\/\/\/\/\/  \/(((      ___\/ \/ \/_\/ (__  ) \/ \/ \/ \/ \/ \/_\/ \/ \/ \/ \/_____\/ \/ \/ \/ \/ \/ \/_\/ \/ \/_\/ \/ \/_\/ \/ \/ \/_\/ \/ \/         --><!--   &amp;(((((#.\/\/\/\/\/\/\/\/\/ #(((((&amp;    \/____\/\\__, \/____\/_\/ \/_\/ \/_\/\\____\/_\/ \/_\/     \/_\/ \/_\/ \/_\/\\____\/\\__,_\/\\__,_\/_\/\\__,_\/_\/          --><!--    &amp;&amp;&amp;&amp;((#\/\/\/\/\/\/\/((#((&amp;&amp;&amp;&amp;          \/____\/                                                                                  --><!--      &amp;&amp;&amp;&amp;(#\/***\/\/(#(&amp;&amp;&amp;&amp;                                                                                                    --><!--        &amp;&amp;&amp;&amp;****\/\/\/&amp;&amp;&amp;&amp;                                                                            by Olaf Hartong           --><!--           (&amp;    ,&amp;.                                                                                                         --><!--            .*&amp;&amp;*.                                                                                                           --><!--                                                                                                                             --> * <!-- This now also determines the file names of the files preserved (String) --> False<!-- Setting this to true might impact performance --> False<!-- Disables lookup behavior, default is True (Boolean) --> Sysmon <!-- Sets the name of the directory in the C:\\ root where preserved files will be saved (String)--><!-- Event ID 1 == Process Creation - Excludes --> AcroRd32.exe \/CR;channel= C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF\\AcroCEF.exe C:\\Program Files (x86)\\Common Files\\Adobe\\AdobeGCClient\\AGSService.exe C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\LogTransport2.exe C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud\\ACC\\Creative Cloud.exe C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud\\CCXProcess\\CCXProcess.exe C:\\Program Files (x86)\\Adobe\\Adobe Creative Cloud\\CoreSync\\CoreSync.exe C:\\Windows\\SysWOW64\\Macromed\\Flash\\FlashPlayerUpdateService.exe C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\armsvc.exe C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\AdobeCollabSync.exe C:\\Program Files (x86)\\Common Files\\Adobe\\Adobe Desktop Common\\HEX\\Adobe CEF Helper.exe C:\\Program Files (x86)\\Common Files\\Adobe\\AdobeGCClient\\AdobeGCClient.exe C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\P6\\adobe_licutil.exe C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\P7\\adobe_licutil.exe C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\P7\\adobe_licutil.exe C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\updaterstartuputility.exe C:\\Program Files (x86)\\Common Files\\Adobe\\OOBE\\PDApp\\UWA\\updaterstartuputility.exe &quot;C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe&quot; -Embedding &quot;C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe&quot; C:\\Windows\\system32\\cscript.exe&quot; \/nologo &quot;MonitorKnowledgeDiscovery.vbs C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngen.exe C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe C:\\Windows\\Microsoft.Net\\Framework64\\v3.0\\WPF\\PresentationFontCache.exe C:\\Windows\\Microsoft.Net\\Framework64\\v3.0\\WPF\\PresentationFontCache.exe C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\ngentask.exe C:\\Program Files\\NVIDIA Corporation\\ C:\\Program Files\\Realtek\\ C:\\Program Files\\Realtek\\Audio\\HDA\\RtkAudioService64.exe C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe C:\\Program Files (x86)\\Dropbox\\Update\\DropboxUpdate.exe C:\\Program Files\\ESET\\ESET Nod32 Antivirus\\ekrn.exe &quot;C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe&quot; --type= &quot;C:\\Program Files\\Google\\Chrome\\Application\\chrome.exe&quot; --type= C:\\Program Files (x86)\\Google\\Update\\ C:\\Program Files (x86)\\Google\\Update\\ C:\\Program Files (x86)\\RES Software\\Workspace Manager\\pfwsmgr.exe C:\\Program Files (x86)\\RES Software\\Workspace Manager\\respesvc64.exe C:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe C:\\Program Files (x86)\\RES Software\\Workspace Manager\\ResPesvc64.exe C:\\Program Files\\RES Software\\Workspace Manager\\respesvc.exe C:\\Program Files\\Ivanti\\Workspace Control\\ResPesvc.exe C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbam.exe C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamservice.exe C:\\Program Files\\Malwarebytes\\Anti-Malware\\mbamtray.exe C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe C:\\Program Files (x86)\\Microsoft Office\\Office16\\MSOSYNC.EXE C:\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPSVC.EXE &quot;C:\\Program Files\\Mozilla Firefox\\plugin-container.exe&quot; --channel &quot;C:\\Program Files (x86)\\Mozilla Firefox\\plugin-container.exe&quot; --channel C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\Web Intelligence\\swi_service.exe C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\Web Control\\swc_service.exe C:\\Program Files (x86)\\Sophos\\Sophos System Protection\\ssp.exe C:\\Program Files (x86)\\Sophos\\Remote Management System\\RouterNT.exe C:\\Program Files (x86)\\Sophos\\AutoUpdate\\ALsvc.exe C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\SAVAdminService.exe C:\\Program Files (x86)\\Sophos\\Remote Management System\\ManagementAgentNT.exe C:\\Program Files\\Splunk\\bin\\ C:\\Program Files\\Splunk\\bin\\splunkd.exe C:\\Program Files\\Splunk\\bin\\splunk.exe D:\\Program Files\\Splunk\\bin\\ D:\\Program Files\\Splunk\\bin\\splunkd.exe D:\\Program Files\\Splunk\\bin\\splunk.exe C:\\Program Files\\SplunkUniversalForwarder\\bin\\ C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe C:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe D:\\Program Files\\SplunkUniversalForwarder\\bin\\ D:\\Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe D:\\Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe C:\\Windows\\system32\\svchost.exe -k appmodel -s StateRepository C:\\Windows\\system32\\svchost.exe -k appmodel C:\\WINDOWS\\system32\\svchost.exe -k appmodel -p -s tiledatamodelsvc C:\\Windows\\system32\\svchost.exe -k camera -s FrameServer C:\\Windows\\system32\\svchost.exe -k dcomlaunch -s LSM C:\\Windows\\system32\\svchost.exe -k dcomlaunch -s PlugPlay C:\\Windows\\system32\\svchost.exe -k defragsvc C:\\Windows\\system32\\svchost.exe -k devicesflow -s DevicesFlowUserSvc C:\\Windows\\system32\\svchost.exe -k imgsvc C:\\Windows\\system32\\svchost.exe -k localService -s EventSystem C:\\Windows\\system32\\svchost.exe -k localService -s bthserv C:\\Windows\\system32\\svchost.exe -k localService -s nsi C:\\Windows\\system32\\svchost.exe -k localService -s w32Time C:\\Windows\\system32\\svchost.exe -k localServiceAndNoImpersonation C:\\Windows\\system32\\svchost.exe -k localServiceNetworkRestricted -s Dhcp C:\\Windows\\system32\\svchost.exe -k localServiceNetworkRestricted -s EventLog C:\\Windows\\system32\\svchost.exe -k localServiceNetworkRestricted -s TimeBrokerSvc C:\\Windows\\system32\\svchost.exe -k localServiceNetworkRestricted -s WFDSConMgrSvc C:\\Windows\\system32\\svchost.exe -k localServiceNetworkRestricted C:\\Windows\\system32\\svchost.exe -k localServiceAndNoImpersonation -s SensrSvc C:\\Windows\\system32\\svchost.exe -k localServiceNoNetwork C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -p -s WPDBusEnum C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -p -s fhsvc C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s DeviceAssociationService C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s NcbService C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s SensorService C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s TabletInputService C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s UmRdpService C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s WPDBusEnum C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted -s WdiSystemHost C:\\WINDOWS\\System32\\svchost.exe -k LocalSystemNetworkRestricted -p -s WdiSystemHost C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted C:\\WINDOWS\\system32\\svchost.exe -k netsvcs -p -s wlidsvc C:\\Windows\\system32\\svchost.exe -k netsvcs -p -s ncaSvc C:\\Windows\\system32\\svchost.exe -k netsvcs -s BDESVC C:\\Windows\\system32\\svchost.exe -k netsvcs -s BITS C:\\Windows\\system32\\svchost.exe -k netsvcs -s CertPropSvc C:\\Windows\\system32\\svchost.exe -k netsvcs -s DsmSvc C:\\Windows\\system32\\svchost.exe -k netsvcs -s Gpsvc C:\\Windows\\system32\\svchost.exe -k netsvcs -s ProfSvc C:\\Windows\\system32\\svchost.exe -k netsvcs -s SENS C:\\Windows\\system32\\svchost.exe -k netsvcs -s SessionEnv C:\\Windows\\system32\\svchost.exe -k netsvcs -s Themes C:\\Windows\\system32\\svchost.exe -k netsvcs -s Winmgmt C:\\Windows\\system32\\svchost.exe -k netsvcs C:\\Windows\\system32\\svchost.exe -k networkService -p -s DoSvc C:\\Windows\\system32\\svchost.exe -k networkService -s Dnscache C:\\Windows\\system32\\svchost.exe -k networkService -s LanmanWorkstation C:\\Windows\\system32\\svchost.exe -k networkService -s NlaSvc C:\\Windows\\system32\\svchost.exe -k networkService -s TermService C:\\Windows\\system32\\svchost.exe -k networkService C:\\Windows\\system32\\svchost.exe -k networkServiceNetworkRestricted C:\\Windows\\system32\\svchost.exe -k rPCSS C:\\Windows\\system32\\svchost.exe -k secsvcs C:\\Windows\\system32\\svchost.exe -k swprv C:\\Windows\\system32\\svchost.exe -k unistackSvcGroup C:\\Windows\\system32\\svchost.exe -k utcsvc C:\\Windows\\system32\\svchost.exe -k wbioSvcGroup C:\\Windows\\system32\\svchost.exe -k werSvcGroup C:\\WINDOWS\\System32\\svchost.exe -k wsappx -p -s ClipSVC C:\\WINDOWS\\system32\\svchost.exe -k wsappx -p -s AppXSvc C:\\Windows\\system32\\svchost.exe -k wsappx -s ClipSVC C:\\Windows\\system32\\svchost.exe -k wsappx C:\\Windows\\system32\\svchost.exe -k netsvcs C:\\Windows\\system32\\svchost.exe -k localSystemNetworkRestricted C:\\Program Files\\Trend Micro\\Deep Security Agent\\ds_monitor.exe C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsa.exe C:\\Program Files\\Trend Micro\\Deep Security Agent\\dsuam.exe C:\\Program Files\\Trend Micro\\Deep Security Agent\\Notifier.exe C:\\Program Files\\Trend Micro\\Deep Security Agent\\lib\\Patch.exe C:\\Program Files (x86)\\Trend Micro\\BM\\TMBMSRV.exe C:\\Program Files (x86)\\Trend Micro\\OfficeScan Client\\TmopExtIns32.exe C:\\Program Files (x86)\\Trend Micro\\OfficeScan Client\\TmExtIns.exe C:\\Program Files (x86)\\Trend Micro\\OfficeScan Client\\TmListen.exe C:\\Program Files\\Windows Defender\\ C:\\Windows\\system32\\MpSigStub.exe C:\\Windows\\SoftwareDistribution\\Download\\Install\\AM_ C:\\Program Files\\Microsoft Security Client\\MpCmdRun.exe C:\\Windows\\system32\\DllHost.exe \/Processid C:\\Windows\\system32\\SearchIndexer.exe \/Embedding C:\\Windows\\System32\\CompatTelRunner.exe C:\\Windows\\System32\\MusNotification.exe C:\\Windows\\System32\\MusNotificationUx.exe C:\\Windows\\System32\\audiodg.exe C:\\Windows\\System32\\conhost.exe C:\\Windows\\System32\\powercfg.exe C:\\Windows\\System32\\wbem\\WmiApSrv.exe C:\\Windows\\System32\\wermgr.exe C:\\Windows\\SysWOW64\\wermgr.exe C:\\Windows\\system32\\sppsvc.exe AppContainer %%SystemRoot%%\\system32\\csrss.exe ObjectDirectory=\\Windows C:\\Windows\\system32\\SearchIndexer.exe <!-- Event ID 2 == File Creation Time - Excludes --> AppData\\Local\\Google\\Chrome\\Application\\chrome.exe Root\\VFS\\ProgramFilesX86\\Google\\Chrome\\Application\\chrome.exe OneDrive.exe setup slack.exe AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe <!-- Event ID 3 == Network Connection - Excludes --> AppData\\Roaming\\Dropbox\\bin\\Dropbox.exe winlogbeat.exe packetbeat.exe C:\\Program Files\\ESET\\ESET Nod32 Antivirus\\ekrn.exe OneDrive.exe OneDriveStandaloneUpdater.exe ownCloud\\owncloud.exe C:\\Program Files\\Palo Alto Networks\\Traps\\cyserver.exe udp 3389 C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\Web Intelligence\\swi_service.exe C:\\Program Files (x86)\\Sophos\\AutoUpdate\\ALsvc.exe C:\\Program Files (x86)\\Sophos\\Remote Management System\\RouterNT.exe C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\Web Control\\swc_service.exe C:\\Program Files (x86)\\Sophos\\Sophos Anti-Virus\\Web Intelligence\\swi_service.exe C:\\Program Files\\Sophos\\Sophos Network Threat Protection\\bin\\SntpService.exe AppData\\Roaming\\Spotify\\Spotify.exe AppData\\Local\\SynologyDrive\\SynologyDrive.app\\bin\\cloud-drive-ui.exe AppData\\Local\\SynologyDrive\\SynologyDrive.app\\bin\\cloud-drive-daemon.exe C:\\Program files (x86)\\Trend Micro\\OfficeScan Client\\tmlisten.exe C:\\Program Files (x86)\\Trend Micro\\BM\\TMBMSRV.exe .windowsupdate.microsoft.com .windowsupdate.com wustat.windows.com go.microsoft.com .update.microsoft.com download.microsoft.com microsoft.com.akadns.net microsoft.com.nsatc.net <!-- Event ID 5 == Process Terminated - Includes --><!-- Event ID 6 == Driver Loaded - Excludes --><!--Default to log all and exclude only valid signed Microsoft or Intel drivers--> Intel Valid Microsoft Valid <!-- Event ID 7 == Image Loaded - Excludes --> C:\\Windows\\System32\\cscript.exe scrobj.dll  VSTOInstaller.exe C:\\Windows\\ C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\FileSyncTelemetryExtensions.dll C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\FileCoAuthLib.dll C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\OneDriveTelemetryStable.dll C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\vcruntime140.dll C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\UpdateRingSettings.dll C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\LoggingPlatform.dll C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive;\\FileCoAuth.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\;\\FileCoAuth.exe <!-- Event ID 8 == CreateRemoteThread - Excludes --><!--Default to log all and exclude a few common processes--> C:\\Windows\\System32\\svchost.exe C:\\Windows\\System32\\wininit.exe C:\\Windows\\System32\\csrss.exe C:\\Windows\\System32\\services.exe C:\\Windows\\System32\\winlogon.exe C:\\Windows\\System32\\audiodg.exe C:\\Windows\\System32\\dwm.exe C:\\Windows\\System32\\csrss.exe Google\\Chrome\\Application\\chrome.exe C:\\Windows\\System32\\wbem\\WmiPrvSE.exe <!-- Event ID 9 == RawAccessRead - Includes --><!-- Event ID 10 == ProcessAccess - Excludes --> C:\\Program Files\\Adobe\\Adobe Creative Cloud Experience\\libs\\node.exe C:\\Program Files;\\Common Files\\Adobe\\AdobeGCClient\\AGMService.exe C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\Acrobat.exe C:\\Program Files (x86)\\Adobe\\Acrobat DC\\Acrobat\\AcroCEF\\AcroCEF.exe C:\\Program Files (x86)\\Common Files\\Adobe\\ARM\\1.0\\AdobeARMHelper.exe C:\\Program Files\\Adobe\\Adobe Photoshop 2021\\Photoshop.exe C:\\Program Files\\Autodesk\\Autodesk Desktop App C:\\Program Files (x86)\\Autodesk\\Autodesk Desktop App C:\\Windows\\CarbonBlack\\cb.exe C:\\Program Files\\Cisco\\AMP\\;sfc.exe C:\\Users\\;\\AppData\\Local\\Citrix\\ICA Client\\receiver\\Receiver.exe C:\\Program Files (x86)\\Citrix\\ICA Client\\Receiver\\Receiver.exe c:\\Program Files\\Couchbase\\Server\\bin\\sigar_port.exe C:\\Program Files;\\FireEye\\xagt\\xagt.exe C:\\Program Files (x86)\\Ivanti\\Workspace Control\\cpushld.exe C:\\Program Files (x86)\\RES Software\\Workspace Manager\\cpushld.exe C:\\Program Files\\Ivanti\\Workspace Control\\cpushld.exe C:\\Program Files\\RES Software\\Workspace Manager\\cpushld.exe wmiprvse.exe GoogleUpdate.exe LTSVC.exe taskmgr.exe VBoxService.exe vmtoolsd.exe Citrix\\System32\\wfshell.exe C:\\Windows\\System32\\lsm.exe Microsoft.Identity.AadConnect.Health.AadSync.Host.exe C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection 0x1000 0x1400 0x101400 0x101000 C:\\Program Files\\McAfee\\Endpoint Security\\Endpoint Security Platform\\mfeesp.exe C:\\Program Files\\McAfee\\Agent\\x86\\macompatsvc.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\OneDrive\\StandaloneUpdater\\OneDriveSetup.exe C:\\Program Files\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE C:\\Program Files\\PowerToys\\modules\\KeyboardManager\\KeyboardManagerEngine\\PowerToys.KeyboardManagerEngine.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe C:\\Users\\;\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe C:\\Program Files\\Microsoft Security Client\\MsMpEng.exe C:\\Program Files\\Windows Defender\\MsMpEng.exe C:\\ProgramData\\Microsoft\\Windows Defender\\Platform\\;\\MsMpEng.exe C:\\Program Files (x86)\\Mobatek\\MobaXterm\\MobaXterm.exe C:\\Program Files\\Palo Alto Networks\\Traps\\cyserver.exe C:\\Program Files\\Qualys\\QualysAgent\\QualysAgent.exe C:\\Program Files (x86)\\Razer Chroma SDK\\bin\\RzSDKService.exe C:\\WINDOWS\\CCM\\CcmExec.exe C:\\Program Files\\Splunk\\bin\\splunkd.exe C:\\Program Files (x86)\\VMware\\VMWare Player\\vmware-authd.exe C:\\Program Files (x86)\\VMware\\VMware Workstation\\vmware-authd.exe C:\\Program Files\\WinZip\\FAHWindow64.exe <!-- Event ID 11 == FileCreate - Excludes --> C:\\Program Files (x86)\\Dell\\CommandUpdate\\InvColPC.exe C:\\Windows\\system32\\igfxCUIService.exe C:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe C:\\Program Files (x86)\\RES Software\\Workspace Manager\\pfwsmgr.exe C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeC2RClient.exe C:\\Windows\\System32\\smss.exe C:\\Windows\\system32\\CompatTelRunner.exe C:\\Windows\\system32\\wbem\\WMIADAP.EXE C:\\Windows\\System32\\DriverStore\\Temp\\ C:\\Windows\\System32\\wbem\\Performance\\ WRITABLE.TST \\AppData\\Roaming\\Microsoft\\Windows\\Recent\\ C:\\$WINDOWS.~BT\\Sources\\SafeOS\\SafeOS.Mount\\ C:\\WINDOWS\\winsxs\\amd64_microsoft-windows c:\\Program Files\\Microsoft Security Client\\MsMpEng.exe Outlook.exe Roaming\\Microsoft\\Outlook\\Outlook.xml c:\\windows\\system32\\provtool.exe C:\\WINDOWS\\CCM\\CcmExec.exe C:\\Windows\\CCM C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\PLA\\FabricTraces C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\SoftwareProtectionPlatform\\SvcRestartTask C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Customer Experience Improvement Program\\Server\\ServerRoleUsageCollector C:\\Windows\\System32\\Tasks\\Microsoft\\Windows\\Customer Experience Improvement Program\\Server\\ServerCeipAssistant <!-- Event ID 12,13,14 == RegObject added\/deleted, RegValue Set, RegObject Renamed - Excludes --> C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\aciseposture.exe C:\\Program Files (x86)\\Cisco\\Cisco AnyConnect Secure Mobility Client\\vpnagent.exe C:\\Program Files\\Cylance\\Optics\\CyOptics.exe C:\\Program Files\\Cylance\\Desktop\\CylanceSvc.exe Toolbar\\WebBrowser Toolbar\\WebBrowser\\ITBar7Height Toolbar\\ShellBrowser\\ITBar7Layout Internet Explorer\\Toolbar\\Locked ShellBrowser C:\\Program Files (x86)\\Ivanti\\Workspace Control\\pfwsmgr.exe C:\\Program Files\\RES Software\\Workspace Manager\\pfwsmgr.exe C:\\Program Files (x86)\\Kaspersky Lab\\Kaspersky Internet Security C:\\Program Files\\Kaspersky Lab\\Kaspersky Internet Security C:\\Program Files\\McAfee\\Endpoint Encryption Agent\\MfeEpeHost.exe C:\\Program Files\\McAfee\\Endpoint Security\\Adaptive Threat Protection\\mfeatp.exe C:\\Program Files\\McAfee\\Endpoint Security\\Endpoint Security Platform\\mfeesp.exe C:\\Program Files\\Common Files\\McAfee\\Engine\\AMCoreUpdater\\amupdate.exe C:\\Program Files\\McAfee\\Agent\\masvc.exe C:\\Program Files\\McAfee\\Agent\\x86\\mfemactl.exe C:\\Program Files\\McAfee\\Agent\\x86\\McScript_InUse.exe C:\\Program Files\\McAfee\\Agent\\x86\\macompatsvc.exe C:\\Program Files\\McAfee\\Endpoint Security\\Threat Prevention\\mfeensppl.exe C:\\Program Files\\Common Files\\McAfee\\Engine\\scanners C:\\Program Files\\Common Files\\McAfee\\AVSolution\\mcshield.exe C:\\Program Files\\ownCloud\\owncloud.exe C:\\Program Files (x86)\\ownCloud\\owncloud.exe svchost.exe HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Schedule\\TaskCache\\Tasks C:\\Program Files\\SentinelOne\\Sentinel Agent System C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters C:\\Program Files (x86)\\Webroot\\WRSA.exe C:\\Program Files\\WIDCOMM\\Bluetooth Software\\btwdins.exe HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit\\AuditPolicy HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Audit\\PerUserAuditing\\System HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\SspiCache HKLM\\SYSTEM\\CurrentControlSet\\Control\\Lsa\\Kerberos\\Domains HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\Audit OpenWithProgids OpenWithList \\UserChoice \\UserChoice\\ProgId \\UserChoice\\Hash \\OpenWithList\\MRUList } 0xFFFF Office\\root\\integration\\integrator.exe C:\\WINDOWS\\system32\\backgroundTaskHost.exe C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe C:\\Program Files\\Windows Defender\\MsMpEng.exe C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe C:\\Program Files\\Microsoft Application Virtualization\\Client\\AppVClient.exe \\CurrentVersion\\App Paths \\CurrentVersion\\Image File Execution Options \\CurrentVersion\\Shell Extensions\\Cached \\CurrentVersion\\Shell Extensions\\Approved }\\PreviousPolicyAreas \\Control\\WMI\\Autologger\\ HKLM\\SYSTEM\\CurrentControlSet\\Services\\UsoSvc\\Start \\Lsa\\OfflineJoin\\CurrentValue \\Components\\TrustedInstaller\\Events Components\\TrustedInstaller \\Components\\Wlansvc \\Components\\Wlansvc\\Events HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Installer\\UserData\\S-1-5-18\\ \\Directory\\shellex \\Directory\\shellex\\DragDropHandlers \\Drive\\shellex \\Drive\\shellex\\DragDropHandlers _Classes\\AppX HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WINEVT\\Publishers\\ HKLM\\SOFTWARE\\Policies\\Microsoft\\SystemCertificates\\Root\\Certificates C:\\Windows\\SystemApps\\Microsoft.Windows.Cortana_cw5n1h2txyewy\\SearchUI.exe C:\\$WINDOWS.~BT\\ HKLM\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters C:\\Windows\\system32\\lsass.exe HKLM\\System\\CurrentControlSet\\Services \\services\\clr_optimization_v2.0.50727_32\\Start \\services\\clr_optimization_v2.0.50727_64\\Start \\services\\clr_optimization_v4.0.30319_32\\Start \\services\\clr_optimization_v4.0.30319_64\\Start \\services\\DeviceAssociationService\\Start \\services\\BITS\\Start \\services\\TrustedInstaller\\Start \\services\\tunnel\\Start \\services\\UsoSvc\\Start <!-- Event ID 15 == FileStream Created - Excludes --><!-- Event ID 17,18 == PipeEvent. Log Named pipe created &amp; Named pipe connected - Excludes --> C:\\Program Files;\\Common Files\\Adobe\\ARM\\1.0\\AdobeARM.exe \\32B6B37A-4A7D-4e00-95F2- thsnYaVieBoda C:\\Program Files;\\Adobe\\Acrobat Reader DC\\Reader\\AcroCEF\\RdrCEF.exe \\com.adobe.reader.rna.;\\mojo C:\\Program Files;\\Common Files\\Adobe\\AdobeGCClient\\AGMService.exe \\gc_pipe_ C:\\Program Files;\\Common Files\\Adobe\\Creative Cloud Libraries\\libs\\node.exe \\uv\\ &quot;C:\\Program Files\\Microsoft Monitoring Agent\\Agent\\MonitoringHost.exe&quot; C:\\Users\\;\\AppData\\Local\\Programs\\Call Manager\\Call Manager.exe \\crashpad_;\\mojo.;\\uv\\ C:\\Program Files;\\Citrix\\ICA Client\\SelfServicePlugin\\SelfService.exe C:\\Program Files;\\Citrix\\ICA Client\\Receiver\\Receiver.exe C:\\Program Files;\\Citrix\\ICA Client\\wfcrun32.exe C:\\Program Files;\\Citrix\\ICA Client\\concentr.exe C:\\Users\\;\\AppData\\Local\\Citrix\\ICA Client\\receiver\\Receiver.exe C:\\Users\\;\\AppData\\Local\\Citrix\\ICA Client\\SelfServicePlugin\\SelfService.exe C:\\Program Files;\\FireEye\\xagt\\xagt.exe C:\\Program Files;\\Google\\Update\\Install\\;setup.exe \\crashpad_ C:\\Program Files;\\Google\\Chrome\\Application\\chrome.exe \\mojo. C:\\Program Files;\\Google\\Chrome\\Application\\;\\Installer\\chrmstp.exe \\crashpad_ Vivisimo Velocity C:\\Program Files;\\Microsoft\\Edge\\Application\\msedge.exe \\LOCAL\\mojo. C:\\Program Files;\\Microsoft\\Edge\\Application\\msedge.exe \\LOCAL\\chrome.sync. C:\\Program Files;\\Microsoft\\Edge\\Application\\msedge.exe \\LOCAL\\crashpad_ C:\\Program Files;\\Microsoft Office\\root\\Office16\\OUTLOOK.EXE \\MsFteWds C:\\Users\\;\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe \\mojo. C:\\Users\\;\\AppData\\Local\\Microsoft\\Teams\\current\\Teams.exe \\chrome.sync. C:\\Program Files;\\Mozilla Firefox\\firefox.exe \\cubeb-pipe- C:\\Program Files;\\Mozilla Firefox\\firefox.exe \\chromium. C:\\Program Files;\\Mozilla Firefox\\firefox.exe \\gecko-crash-server-pipe. \\SQLLocal\\MSSQLSERVER \\SQLLocal\\INSTANCE01 \\SQLLocal\\SQLEXPRESS \\SQLLocal\\COMMVAULT \\SQLLocal\\RTCLOCAL \\SQLLocal\\RTC \\SQLLocal\\TMSM Program Files (x86)\\Microsoft SQL Server\\110\\DTS\\binn\\dtexec.exe PostgreSQL\\9.6\\bin\\postgres.exe \\pgsignal_ Program Files\\Qlik\\Sense\\Engine\\Engine.exe C:\\Program Files;\\Qualys\\QualysAgent\\QualysAgent.exe Program Files\\SplunkUniversalForwarder\\bin\\splunkd.exe Program Files\\SplunkUniversalForwarder\\bin\\splunk.exe Program Files\\SplunkUniversalForwarder\\bin\\splunk-MonitorNoHandle.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\CMAgent\\OfcCMAgent.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\web\\service\\ofcservice.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\Web\\Service\\DbServer.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\web\\service\\verconn.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\WEB_OSCE\\WEB\\CGI\\cgiOnClose.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\WEB_OSCE\\WEB\\CGI\\cgiRqHotFix.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\LWCS\\LWCSService.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\WSS\\iCRCService.exe Program Files\\Trend\\SPROTECT\\x64\\tsc.exe Program Files\\Trend\\SPROTECT\\x64\\tsc64.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\web\\service\\osceintegrationservice.exe Program Files (x86)\\Trend Micro\\OfficeScan\\PCCSRV\\web\\service\\OfcLogReceiverSvc.exe \\Trend Micro OSCE Command Handler Manager \\Trend Micro OSCE Command Handler2 Manager \\Trend Micro Endpoint Encryption ToolBox Command Handler Manager \\OfcServerNamePipe \\ntapvsrq \\srvsvc \\wkssvc \\lsass \\winreg \\spools Anonymous Pipe c:\\windows\\system32\\inetsrv\\w3wp.exe <!-- Event ID 19,20,21, == WmiEvent. Log all WmiEventFilter, WmiEventConsumer, WmiEventConsumerToFilter activity - Excludes --><!-- Event ID 22 == DNS Queries and their results Excludes --><!--Default to log all and exclude a few common processes--> .1rx.io .2mdn.net .adadvisor.net .adap.tv .addthis.com .adform.net .adnxs.com .adroll.com .adrta.com .adsafeprotected.com .adsrvr.org .advertising.com .amazon-adsystem.com .amazon-adsystem.com .analytics.yahoo.com .aol.com .betrad.com .bidswitch.net .casalemedia.com .chartbeat.net .cnn.com .convertro.com .criteo.com .criteo.net .crwdcntrl.net .demdex.net .domdex.com .dotomi.com .doubleclick.net .doubleverify.com .emxdgt.com .exelator.com .google-analytics.com .googleadservices.com .googlesyndication.com .googletagmanager.com .googlevideo.com .gstatic.com .gvt1.com .gvt2.com ib-ibi.com .jivox.com .mathtag.com .moatads.com .moatpixel.com .mookie1.com .myvisualiq.net .netmng.com .nexac.com .openx.net .optimizely.com .outbrain.com .pardot.com .phx.gbl .pinterest.com .pubmatic.com .quantcount.com .quantserve.com .revsci.net rfihub.net .rlcdn.com .rubiconproject.com .scdn.co .scorecardresearch.com .serving-sys.com .sharethrough.com .simpli.fi .sitescout.com .smartadserver.com .snapads.com .spotxchange.com .taboola.com .taboola.map.fastly.net .tapad.com .tidaltv.com .trafficmanager.net .tremorhub.com .tribalfusion.com .turn.com .twimg.com .tynt.com .w55c.net .ytimg.com .zorosrv.com 1rx.io adservice.google.com ampcid.google.com clientservices.googleapis.com googleadapis.l.google.com imasdk.googleapis.com l.google.com ml314.com mtalk.google.com update.googleapis.com www.googletagservices.com .mozaws.net .mozilla.com .mozilla.net .mozilla.org clients1.google.com clients2.google.com clients3.google.com clients4.google.com clients5.google.com clients6.google.com safebrowsing.googleapis.com .akadns.net .netflix.com .aspnetcdn.com ajax.googleapis.com cdnjs.cloudflare.com fonts.googleapis.com .typekit.net cdnjs.cloudflare.com .stackassets.com .steamcontent.com .arpa. .arpa .msftncsi.com .localmachine localhost C:\\ProgramData\\LogiShrd\\LogiOptions\\Software\\Current\\updater.exe .logitech.com C:\\Program Files\\Windows Defender Advanced Threat Protection\\MsSense.exe -pushp.svc.ms .b-msedge.net bing.com .hotmail.com .live.com .live.net .s-microsoft.com .microsoft.com .microsoftonline.com .microsoftstore.com .ms-acdc.office.com .msedge.net .msn.com .msocdn.com .skype.com .skype.net .windows.com .windows.net.nsatc.net .windowsupdate.com .xboxlive.com login.windows.net outlook.office.com statics.teams.cdn.office.net acdc-direct.office.com .fp.measure.office.com office365.com .activedirectory.windowsazure.com aria.microsoft.com .msauth.net .msftauth.net .opinsights.azure.com management.azure.com outlook.office365.com portal.azure.com substrate.office.com osi.office.net .digicert.com .globalsign.com .globalsign.net msocsp.com ocsp.msocsp.com pki.goog .pki.goog ocsp.godaddy.com amazontrust.com .amazontrust.com ocsp.sectigo.com pki-goog.l.google.com .usertrust.com ocsp.comodoca.com ocsp.verisign.com ocsp.entrust.net ocsp.identrust.com status.rapidssl.com status.thawte.com ocsp.int-x3.letsencrypt.org subca.ocsp-certum.com cscasha2.ocsp-certum.com crl.verisign.com C:\\Program Files\\SentinelOne\\Sentinel Agent;\\SentinelAgent.exe .spotify.com .spotify.map.fastly.net C:\\Windows\\SystemApps\\Microsoft.Windows.Search;SearchApp.exe <!-- Event ID 23 == File Delete and overwrite events which saves a copy to the archivedir - Includes --><!-- Event ID 23 == File Delete and overwrite events - Excludes --> \\appdata\\local\\google\\chrome\\user data\\swreporter\\;software_reporter_tool.exe C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe NETWORK SERVICE; SERVICE ROOM  AppData\\Local\\Microsoft\\Windows\\PowerShell\\StartupProfileData-Interactive C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe <!-- Event ID 24 == Clipboard change events, only captures text, not files - Includes --><!-- Default set to disabled due to privacy implications and potential data you leave for attackers, enable with care!--><!-- Event ID 25 == Process tampering events - Excludes --> C:\\Program Files\\Mozilla Firefox\\firefox.exe C:\\Program Files\\Mozilla Firefox\\updater.exe C:\\Program Files\\Mozilla Firefox\\default-browser-agent.exe C:\\Program Files\\Mozilla Firefox\\pingsender.exe C:\\Program Files\\Git\\cmd\\git.exe C:\\Program Files\\Git\\mingw64\\bin\\git.exe C:\\Program Files\\Git\\mingw64\\libexec\\git-core\\git.exe C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\ \\BHO\\ie_to_edge_stub.exe C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\ identity_helper.exe C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\Install\\ Microsoft Edge x64 unknown process C:\\Program Files\\Microsoft VS Code\\Code.exe <!-- Event ID 26 == File Delete and overwrite events - Excludes -->\\appdata\\local\\google\\chrome\\user data\\swreporter\\;software_reporter_tool.exe C:\\Program Files (x86)\\Google\\Chrome\\Application\\chrome.exe NETWORK SERVICE; SERVICE ROOM<\/code><\/pre>\n\n\n\n<p><\/p>\n<\/details>","protected":false},"excerpt":{"rendered":"<p>We are starting a series of articles in which we share a summary of the [\u2026]<\/p>","protected":false},"author":41,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[18],"tags":[186],"class_list":["post-227378","post","type-post","status-publish","format-standard","hentry","category-red-teaming","tag-red-team"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams<\/title>\n<meta name=\"description\" content=\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_introduction\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team - Introduction\" \/>\n<meta property=\"og:description\" content=\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_introduction\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2023-12-13T12:00:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-23T16:48:29+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"751\" \/>\n\t<meta property=\"og:image:height\" content=\"225\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Pierre Livet\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Pierre Livet\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/\"},\"author\":{\"name\":\"Pierre Livet\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8b3c61dad317a9965e5084f0da156e55\"},\"headline\":\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Introduction\",\"datePublished\":\"2023-12-13T12:00:00+00:00\",\"dateModified\":\"2026-02-23T16:48:29+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/\"},\"wordCount\":1331,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image.png\",\"keywords\":[\"Red Team\"],\"articleSection\":[\"Red Teaming\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/\",\"name\":\"Kerberos: Key OPSEC Tactics for Red & Blue Teams\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image.png\",\"datePublished\":\"2023-12-13T12:00:00+00:00\",\"dateModified\":\"2026-02-23T16:48:29+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8b3c61dad317a9965e5084f0da156e55\"},\"description\":\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2023\\\/12\\\/image.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_introduction\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Introduction\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/8b3c61dad317a9965e5084f0da156e55\",\"name\":\"Pierre Livet\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/?s=96&d=retro&r=g\",\"caption\":\"Pierre Livet\"},\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/pierre-livet\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams","description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_introduction\/","og_locale":"en_US","og_type":"article","og_title":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team - Introduction","og_description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","og_url":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_introduction\/","og_site_name":"INTRINSEC","article_published_time":"2023-12-13T12:00:00+00:00","article_modified_time":"2026-02-23T16:48:29+00:00","og_image":[{"width":751,"height":225,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png","type":"image\/png"}],"author":"Pierre Livet","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Pierre Livet","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/"},"author":{"name":"Pierre Livet","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8b3c61dad317a9965e5084f0da156e55"},"headline":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Introduction","datePublished":"2023-12-13T12:00:00+00:00","dateModified":"2026-02-23T16:48:29+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/"},"wordCount":1331,"image":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png","keywords":["Red Team"],"articleSection":["Red Teaming"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/","url":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/","name":"Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png","datePublished":"2023-12-13T12:00:00+00:00","dateModified":"2026-02-23T16:48:29+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8b3c61dad317a9965e5084f0da156e55"},"description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2023\/12\/image.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_introduction\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team &#8211; Introduction"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/8b3c61dad317a9965e5084f0da156e55","name":"Pierre Livet","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=retro&r=g","caption":"Pierre Livet"},"url":"https:\/\/www.intrinsec.com\/en\/author\/pierre-livet\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227378","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/41"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=227378"}],"version-history":[{"count":6,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227378\/revisions"}],"predecessor-version":[{"id":231489,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/227378\/revisions\/231489"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=227378"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=227378"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=227378"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}