mirror of https://gitlab.com/curben/blog
1.2 KiB
1.2 KiB
| title | layout | date |
|---|---|---|
| Kerberos Certificate Spoofing | page | 2025-07-27 |
Description: Before the May 10, 2022 security update, certificate-based authentication would not account for a dollar sign ($) at the end of a machine name. This allowed related certificates to be emulated (spoofed) in various ways. References: 1, 2, 3 SPL:
index="windows" source="XmlWinEventLog:System" EventCode IN (39,41,40,48,41,49)
| eval Time=strftime(_time, "%Y-%m-%d %H:%M:%S %z")
| table Time, index, host, UserData_Xml