Hello Reader,
I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use ... take a deep breath and examine the facts.
First this alert is generated because the kerberos ticket it reported had a time to live larger than group policy for them. This does not mean that this is proof that a ticket is being used right now so take a step away from the fire the missiles button and examine the facts.
Second check the account being used, if the account being used is the Machine account (the computer name with a $ at the end) and not a user then this could be a 'silver ticket' attack or just a system who clock is out of sync.
Third check to see what hosts this ticket is accessing and what the actual time to live is. When I make golden tickets in an attack simulation I give them very long lives (months to years) so I can keep using them going forward. If the ticket is only a couple hours greater than the policy (which it should tell you the policy time) take two steps away from the button.
Fourth check to see (especially if this is between domain controllers) if the machine account being used belongs to a DC being brought online and syncing for the first time. In which case this is probably a false positive.
Now if none of these things match your reported scenario go find out what accounts were effected, where the accesses came from and how long that ticket has to live and start triaging! You might have a real intrusion going on!
I'm writing this post to serve as a bookmark for the future for anyone out there searching for this. If it's late at night and you have Microsoft Defender ATA in your network monitoring your systems and suddenly, you get a High Alert that a golden ticket was in use ... take a deep breath and examine the facts.
First this alert is generated because the kerberos ticket it reported had a time to live larger than group policy for them. This does not mean that this is proof that a ticket is being used right now so take a step away from the fire the missiles button and examine the facts.
Second check the account being used, if the account being used is the Machine account (the computer name with a $ at the end) and not a user then this could be a 'silver ticket' attack or just a system who clock is out of sync.
Third check to see what hosts this ticket is accessing and what the actual time to live is. When I make golden tickets in an attack simulation I give them very long lives (months to years) so I can keep using them going forward. If the ticket is only a couple hours greater than the policy (which it should tell you the policy time) take two steps away from the button.
Fourth check to see (especially if this is between domain controllers) if the machine account being used belongs to a DC being brought online and syncing for the first time. In which case this is probably a false positive.
Now if none of these things match your reported scenario go find out what accounts were effected, where the accesses came from and how long that ticket has to live and start triaging! You might have a real intrusion going on!
Also Read: Daily Blog #623
Post a Comment