The original post: /r/cybersecurity by /u/LumosNoxxx on 2024-05-17 08:06:41.

Hello all,

I would like support.

Our EDR reported a case where the command “scp -v -f krb5cc{id}” were executed. An attacker attempting to impersonate a Kerberos user can copy this file to a machine under their control and replay it. (MITRE ATT&CK Tactic T1552.001)

During investigation, the user related to the command says that he did not launch it manually but may have been launched automatically by MobaXterm during a “drag and drop” to transfer a file to a distant server and authenticated itself automatically.

So i would like to know :

1. Is that a normal behaviour of MobaXterm to access Kerberos credential cache?
2. What path should i go next to investigate it because i still do not have the evidence and the root cause of the alert. Logs i checked show no evidence of the use of scp.

Thank you very much for supporting me with my still low exp.