How Microsoft Advanced Threat Analytics detects golden ticket attacks

%3CLINGO-SUB%20id%3D%22lingo-sub-113889%22%20slang%3D%22en-US%22%3EHow%20Microsoft%20Advanced%20Threat%20Analytics%20detects%20golden%20ticket%20attacks%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-113889%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22%22%3EIf%20you%E2%80%99re%20in%20the%20business%20of%20threat%20detection%2C%20you%20are%20probably%20familiar%20with%20the%20term%20%E2%80%9Cgolden%20ticket%E2%80%9D.%20For%20those%20less%20familiar%2C%20a%20golden%20ticket%20is%20the%20name%20of%20a%20Kerberos%20ticket%20that%20is%20manually%20created%20by%20an%20attacker%20after%20gaining%20access%20to%20your%20environment%E2%80%99s%20encryption%20%E2%80%9Cmaster%20key%E2%80%9D.%20A%20golden%20ticket%20allows%20an%20attacker%20to%20masquerade%20as%20any%20user%20or%20gain%20the%20permissions%20of%20any%20role%20at%20any%20time%20they%20want%2C%20giving%20them%20full%20control%20over%20your%20environment.%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3EBeing%20able%20to%20detect%20this%20kind%20of%20attack%20has%20historically%20been%20difficult%2C%20because%20the%20adversary%20is%20leveraging%20credentials%20with%20the%20same%20key%20your%20Active%20Directory%20uses.%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20class%3D%22%22%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Kerbos-Golden-Ticket-activity-1024x656.png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F21666i576F2B0E375F6CAE%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22Kerbos-Golden-Ticket-activity-1024x656.png%22%20alt%3D%22Kerbos-Golden-Ticket-activity-1024x656.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ERead%20about%20in%20the%20%3CA%20href%3D%22https%3A%2F%2Fblogs.technet.microsoft.com%2Fenterprisemobility%2F2017%2F10%2F05%2Fazure-information-protection-status-update-september-2017%2F%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EEnterprise%20Mobility%20%26amp%3B%20Security%20blog%3C%2FA%3E.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-113889%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAdvanced%20Threat%20Analytics%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Highlighted
Community Manager

If you’re in the business of threat detection, you are probably familiar with the term “golden ticket”. For those less familiar, a golden ticket is the name of a Kerberos ticket that is manually created by an attacker after gaining access to your environment’s encryption “master key”. A golden ticket allows an attacker to masquerade as any user or gain the permissions of any role at any time they want, giving them full control over your environment.

 

Being able to detect this kind of attack has historically been difficult, because the adversary is leveraging credentials with the same key your Active Directory uses.

 

Kerbos-Golden-Ticket-activity-1024x656.png

 

Read about in the Enterprise Mobility & Security blog

0 Replies