Forum Discussion
jonghwamun
Microsoft
MicrosoftInquiries related to maximum lifetime for user ticket.
Good afternoon, my Cx was curious about some questions that came along with Golden Ticket Alert.
I tried to figure it out, but was not able to locate sources for the questions. Here are the que...
EliOfekMicrosoft
MicrosoftThis comment means that MDI failed to read the default Kerberos policy for the domain (you can probably find error in the Sensor logs).
Since we failed to read it , we assume the default in AD which is 10 hours.
This is important , as if the customer knows the default policy is set to something else, larger, that most chances are this is a false positive, and you need to find out why weren't we able to read the policy so it won't happen again.
Since we failed to read it , we assume the default in AD which is 10 hours.
This is important , as if the customer knows the default policy is set to something else, larger, that most chances are this is a false positive, and you need to find out why weren't we able to read the policy so it won't happen again.
We are getting flooded with MDI alerts 'Suspected Golden Ticket usage (time anomaly) on one endpoint' and we verified the default domain policy is set to 10 hours for 'maximum lifetime for a user ticket'.
Is there something we should be looking for on the MDI sensor logs that would point to the sensor not being able to read the policy?
Is there something we should be looking for on the MDI sensor logs that would point to the sensor not being able to read the policy?