Azure ATP brings you a new Preview detection: Kerberos golden ticket - nonexistent account

%3CLINGO-SUB%20id%3D%22lingo-sub-213146%22%20slang%3D%22en-US%22%3EAzure%20ATP%20brings%20you%20a%20new%20Preview%20detection%3A%20Kerberos%20golden%20ticket%20-%20nonexistent%20account%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-213146%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20this%20attack%2C%20an%20attacker%20creates%20an%20account%20that%20does%20not%20exist%20in%20AD%2C%20then%20uses%20the%20Kerberos%20ticket%20to%20access%20resources.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20now%20see%20this%20kind%20of%20attack%20in%20Azure%20ATP%20version%202.39%2C%20that%20will%20open%20a%20%3CSTRONG%3EKerberos%20golden%20ticket%20-%3C%2FSTRONG%3E%20%3CSTRONG%3Enonexistent%20account%26nbsp%3B%3C%2FSTRONG%3Ealert.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFor%20more%20information%20visit%20%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fatasaguide-golden%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-ft%3D%22%22%3Eaka.ms%2Fatasaguide-golden%3C%2FSPAN%3E%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EStay%20tuned.%20Your%20feedback%20is%20welcome!%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37224i04DABBA60C9E3D2D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22tali_mimikatzInjected.png%22%20title%3D%22tali_mimikatzInjected.png%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EMimikatz%20command%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-center%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F37225i332A2ADCE883AD46%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20alt%3D%22nonexistenet%20account%20preview.jpg%22%20title%3D%22nonexistenet%20account%20preview.jpg%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3Epreview%20alert%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Microsoft

In this attack, an attacker creates an account that does not exist in AD, then uses the Kerberos ticket to access resources.

 

You can now see this kind of attack in Azure ATP version 2.39, that will open a Kerberos golden ticket - nonexistent account alert.

 

For more information visit aka.ms/atasaguide-golden

 

Stay tuned. Your feedback is welcome!

 

Mimikatz commandMimikatz command

 

preview alertpreview alert

0 Replies