All it takes is one. One compromise of single laptop of a user with the right authority and you can create a Golden Ticket that gives you Domain Admin authority for the next 10 years.
Golden tickets are just one of the ways adversaries can attack AD authentication – in this case Kerberos. There are other attacks related to Kerberos and even more when it comes to NTLM.
In this real training for free session, we will first look at how Kerberos and NTLM authentication work and then we will dive into current attack scenarios for both protocols.
Then we will move to defense and look at how to detect AD authentication attacks. We will explore methods for recognizing potential golden tickets and other suspicious Kerberos behavior. We’ll also explore the information Windows domain controllers log for Kerberos and NTLM events, including events like:
- 4768 - A Kerberos authentication ticket (TGT) was requested
- 4769 - A Kerberos service ticket was requested
- 4774 - An account was mapped for logon
We will also discuss prevention techniques. As just one example, some organizations reset the krbtgt account password 2-times in a row on a periodic basis. I’ll explain why and help you determine if that makes sense for your environment.
Then our sponsor, Quest Software, will briefly show you new capabilities in their famous Change Auditor product, that directly relate to the risks discussed here-in – including golden ticket detection and NTLM auditing, but also the ability to bring AD and Azure AD authentication and logon data together.
Please join us for this real training for free session.