Home
  •  

Actividad sospechosa de degradación de cifrado (golden ticket)

Microsoft.AdvancedThreatAnalytics.1_7.Center.EncryptionDowngradeSuspiciousActivity_GoldenTicket (Rule)

Knowledge Base article:

Resumen

El Centro de ATA ha detectado una actividad sospechosa.

Causas

Se detectó una actividad sospechosa.

Soluciones

Revise la actividad sospechosa en la consola de ATA e inicie procedimientos de respuesta.

Element properties:

TargetMicrosoft.AdvancedThreatAnalytics.1_7.Center
CategorySecurityHealth
EnabledFalse
Alert GenerateTrue
Alert SeverityError
Alert PriorityNormal
RemotableTrue
Alert Message
Alerta de actividad sospechosa de degradación de cifrado (golden ticket)
Alerta de regla del Centro de Microsoft ATA 1.7 - EventID 2009 - Actividad sospechosa de degradación de cifrado (golden ticket)
Event LogMicrosoft ATA

Member Modules:

ID Module Type TypeId RunAs 
Microsoft.Windows.EventCollector DataSource Microsoft.Windows.EventProvider Default
System.Health.GenerateAlert WriteAction System.Health.GenerateAlert Default

Source Code:

<Rule ID="Microsoft.AdvancedThreatAnalytics.1_7.Center.EncryptionDowngradeSuspiciousActivity_GoldenTicket" Target="Microsoft.AdvancedThreatAnalytics.1_7.Center" Enabled="false" ConfirmDelivery="true" Remotable="true" Priority="Normal" DiscardLevel="100">

  <Category>SecurityHealth</Category>

  <DataSources>

    <DataSource ID="Microsoft.Windows.EventCollector" TypeID="Windows!Microsoft.Windows.EventProvider">

      <ComputerName>$Target/Host/Property[Type="Windows!Microsoft.Windows.Computer"]/NetworkName$</ComputerName>

      <LogName>Microsoft ATA</LogName>

      <AllowProxying>false</AllowProxying>

      <Expression>

        <SimpleExpression>

          <ValueExpression>

            <XPathQuery Type="UnsignedInteger">EventDisplayNumber</XPathQuery>

          </ValueExpression>

          <Operator>Equal</Operator>

          <ValueExpression>

            <Value Type="UnsignedInteger">2009</Value>

          </ValueExpression>

        </SimpleExpression>

      </Expression>

    </DataSource>

  </DataSources>

  <WriteActions>

    <WriteAction ID="System.Health.GenerateAlert" TypeID="Health!System.Health.GenerateAlert">

      <Priority>1</Priority>

      <Severity>2</Severity>

      <AlertMessageId>$MPElement[Name="Microsoft.AdvancedThreatAnalytics.1_7.Center.EncryptionDowngradeSuspiciousActivity_GoldenTicket.AlertMessage"]$</AlertMessageId>

      <AlertParameters>

        <AlertParameter1>$Data/EventDescription$</AlertParameter1>

      </AlertParameters>

    </WriteAction>

  </WriteActions>

</Rule>