How to Detect Pass-the-Ticket Attacks

How to Detect Pass-the-Ticket Attacks

In our first post of the series, we looked at some interesting ways to detect the pass-the-hash attack. Pass-the-hash is an effective approach for exploiting NTLM authentication within an Active Directory domain. Pass-the-ticket is an alternate approach which leverages Kerberos authentication to perform lateral movement.  In this post we will dive into how this attack works and what you can do to detect it. How Pass-the-Ticket Works In a pass-the-ticket attack, an attacker is able to extract a Kerberos Ticket Granting Ticket…

Read More Read More

Attacking Local Account Passwords

Attacking Local Account Passwords

So far in this series, we’ve learned how attackers can target weak domain passwords in Active Directory.  To complete the story, we need to look beyond domain accounts and understand the ways to attack local accounts on Windows servers and desktops.  For this post, we will focus on the most important local account: Administrator.  The Administrator account is built into every Windows operating system and provides full control over the system, including the ability to compromise domain accounts through pass-the-hash…

Read More Read More

How Attackers are Stealing Your Credentials with Mimikatz

How Attackers are Stealing Your Credentials with Mimikatz

Stealing Credentials with Mimikatz Mimikatz is an open-source tool built to gather and exploit Windows credentials. Since its introduction in 2011 by author Benjamin Delpy, the attacks that Mimikatz is capable of have continued to grow. Also, the ways in which Mimikatz can be packaged and deployed have become even more creative and difficult to detect by security professionals. This has led to Mimikatz recently being tied to some of the most prevalent cyber attacks such as the Petya ransomware….

Read More Read More

Start a Free StealthAUDIT® Trial!

No risk. No obligation.