This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Community Support Forum

Is Netwintess able to decrypt Activity Director traffic?

JeffersonRodrig
New Contributor
New Contributor

‎2022-09-09 05:55 PM

Hello Everyone!

 

About RSA Netwitness Decrypt packets, do you know if Packet Decoder is able to open/decrypt LDAP/Kerberos connections from incoming traffic?

 

I just need to know because I am planning to open this kind of traffic to create news detection based on Activity Directory traffic, such as BloodHound, DCSync, Kerberoasting and etc.

 

Thanks!

0 Likes
1 REPLY 1

drewjc
Occasional Contributor
Occasional Contributor

‎2022-09-12 04:44 PM

Hi JeffersonRodrig

 

NetWitness in general can't decrypt anything without having encryption keys imported. There is no inline decryption. The only protocol where decryption works is for very basic TLS that isn't using ephemeral key exchange (i.e. session keys) and only after you import the keys.

 

Decryption of Microsoft application protocols isn't supported either, due to the aforementioned key issue. However, NetWitness can parse the clear-text portions of Microsoft protocol traffic to a large enough extent to write detections for some of the common AD attacks (e.g. DCSync).

 

Good Luck with your project.

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.