The original post: /r/cybersecurity by /u/LumosNoxxx on 2024-05-17 08:06:41.
Hello all,
I would like support.
Our EDR reported a case where the command “scp -v -f krb5cc{id}” were executed. An attacker attempting to impersonate a Kerberos user can copy this file to a machine under their control and replay it. (MITRE ATT&CK Tactic T1552.001)
During investigation, the user related to the command says that he did not launch it manually but may have been launched automatically by MobaXterm during a “drag and drop” to transfer a file to a distant server and authenticated itself automatically.
So i would like to know :
- Is that a normal behaviour of MobaXterm to access Kerberos credential cache?
- What path should i go next to investigate it because i still do not have the evidence and the root cause of the alert. Logs i checked show no evidence of the use of scp.
Thank you very much for supporting me with my still low exp.
You must log in or # to comment.