Explain the event code 4771.

393    Asked by ankurDwivedi in Cyber Security , Asked on Mar 29, 2022

 Is there an easy way to distinguish 4771 events from a real attack perspective vs. someone having a stale session with an old password?


If you don't get logs from all endpoints and rely on Domain Controllers, you have to key off of 4771 and 4625 for failures, where 4771 is the Kerberos events from the domain joined computers to the DCs.


It's nice having visibility across the endpoints without getting logs from everything but for these 4771 events, most of the alerts I see are just stale sessions and non-security events. I don't see any sub code or item to key off of for stale/old password vs. real attack.

Answered by Amit Sinha

Most of the time these events are noisy in a large user environment with a password change policy. Most of the time this happens when an account's password is expired and it is tied with some application/service/task which keeps trying to login again and again. If you have a SIEM or log management solution, you can create a rule to ignore event code 4771 for the account's password which was recently reset 4723/4724 (say in the last 24hrs).



Your Answer

Online Course

Tutorials

Salesforce Tutorial

Software Testing Tutorial

SQL Tutorial

Business Analyst Tutorial

Devops Tutorial

Data Science Tutorial

AWS Tutorial

Hadoop Tutorial

SSRS Tutorial

AWS S3 Tutorial

Functional Testing Tutorial

SSAS Tutorial

Automation Testing Tutorial

Manual Testing Tutorial

Selenium Tutorial

Kubernetes Tutorial

Scala Tutorial

ETL Testing Tutorial

Python Tutorial

Pyspark Tutorial

R Tutorial

Unit Testing Tutorial

API Testing Tutorial

Puppet Tutorial

Integration Testing Tutorial

Chef Tutorial

Jenkins Tutorial

Ansible Tutorial

Vagrant Tutorial

Docker Tutorial

Interviews

Parent Categories

Copyright | JanBaskTraining.com