Forum Discussion
Suspected identity theft (pass-the-ticket) on multiple endpoints krbtgt
User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for supp...
Blanket exclusion on all krbtgt alerts i would think is bad practice. In the event what if account itself has been compromised? Then alerts will slip. MDI makes lot of noise and adjustments can be made in conjunction with exclusions based on potential threat and attack story but dismissing them introduces high risk and exposure to more attacks.