P-AdminLogin and MSA accounts #133
Comments
|
Hi, Two days ago, same behavior : the admin account LastLogonDate 03/15 (US format) is the exact Timestamp of a 4769 "Kerberos ticket Operations" event concerning a MSA account. Any idea ? Regards |
|
Hi, Thanks for having taken into account this false positive (Cf your post on Twitter https://twitter.com/mysmartlogon/status/1539575176362426368?cxt=HHwWgIC8wejd1d0qAAAA ) The "S4u2Self" was also mentionned by another source - in march - as a suspected origin for this updated Timestamp..., and the "P-AdminLogin" rule trigger cause I encountered... Regards |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hi,
There was a "P-AdminLogin" rule trigger for months on my AD audit, but I hadn't invetigate, mostly because no Admin users are using this account, each one of them got a personal individual account for DCs....
So, I queried the "LastLogonDate" for this account, and searched on the DC's for the 4624 Event.... but there was none for this timestamp.
But, at this precise timestamp, there was a 4769 Event "Kerberos Service Ticket Operations" (Failure code 0x0)... wich is referring to a "MSA account"...
So... in this case, could it be that the PingCastle "P-AdminLogin" rule triggers not on an "Admin account use", but on a "MSA ticket operation" which induce a new "LastLogonDate" of the Admin account.... ;-( ?
By the way, the "LastLogonDate" of the "MSA Service account", get by a "Get-ADServiceAccount" is of another day, another TimeStamp...
I'm a bit lost... ;-(
Regards
The text was updated successfully, but these errors were encountered: