vletoux
P-AdminLogin and MSA accounts
Hi, There was a "P-AdminLogin" rule trigger for months on my AD audit, but I hadn't invetigate, mostly because no Admin users are using this account, each one of them got a personal individual account for DCs....
So, I queried the "LastLogonDate" for this account, and searched on the DC's for the 4624 Event.... but there was none for this timestamp.
But, at this precise timestamp, there was a 4769 Event "Kerberos Service Ticket Operations" (Failure code 0x0)... wich is referring to a "MSA account"...
So... in this case, could it be that the PingCastle "P-AdminLogin" rule triggers not on an "Admin account use", but on a "MSA ticket operation" which induce a new "LastLogonDate" of the Admin account.... ;-( ?
By the way, the "LastLogonDate" of the "MSA Service account", get by a "Get-ADServiceAccount" is of another day, another TimeStamp...
I'm a bit lost... ;-(
Regards
Hi,
Two days ago, same behavior : the admin account LastLogonDate 03/15 (US format) is the exact Timestamp of a 4769 "Kerberos ticket Operations" event concerning a MSA account.
Any idea ?
Regards
Hi,
Thanks for having taken into account this false positive (Cf your post on Twitter https://twitter.com/mysmartlogon/status/1539575176362426368?cxt=HHwWgIC8wejd1d0qAAAA )
The "S4u2Self" was also mentionned by another source - in march - as a suspected origin for this updated Timestamp..., and the "P-AdminLogin" rule trigger cause I encountered...
Regards