4713 Kerberos policy was changed
Written when Kerberos policy (such as ticket lifetimes) is changed. It involves the core of the authentication foundation and can be abused by attackers for persistence or weakening.
Overview
The subcategory is Audit Authentication Policy Change. It is generated only on domain controllers. It is recorded when Kerberos (the standard Windows authentication protocol) policy is changed, such as the maximum ticket lifetime, renewal period, or allowed clock skew.
How it is triggered
- When Kerberos policy is changed via domain Group Policy.
- It occurs on domain controllers.
Security review points
- A change that extends ticket lifetimes drastically can facilitate long-term unauthorized access such as a
Golden Ticket(a forged all-powerful ticket made using the KRBTGT hash). Always investigate an unplanned Kerberos policy change. - A change that loosens the allowed clock skew may weaken detection of replay attacks 4649 and time-shifting.
Notes for log review
- It is normally a rare change. Even one occurrence is a high-priority event to confirm as planned.
- Check the changed policy item and its value (before/after), and see whether it deviates from your security baseline (such as a short ticket lifetime).
Key fields
| Field | Meaning |
|---|---|
| Changed Kerberos policy settings | Ticket lifetime, renewal period, clock skew, and so on |
Subject\Account Name | The account that made the change |
Glossary
- Golden Ticket — an attack that steals the domain KRBTGT account’s hash to forge Kerberos tickets for any user and any privilege. It pairs poorly with short-lived tickets.