UBA : Possible TGT PAC Forgery
The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.
UBA : Possible TGT PAC Forgery
Enabled by default
False
Default senseValue
10
Description
Detects use of Forged PAC certificate to get a Service Ticket from Kerberos TGS.
Support rules
- BB:UBA : Common Event Filters
- BB:UBA : TCT PAC Forgery Patched Server
- BB:UBA : TCT PAC Forgery Unpatched Server
Required configuration
Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators".
Log source types
Microsoft Windows Security Event Log (EventID: 4672, 4769)