Kerberos Primer and Cyber Attacks
Kerberos is a network authentication protocol inspired by the greek work for a a three heaed dog Cerberus. Couple of key points to remember about the protocol
#Pass the ticket:
Ways to investigate Pass the ticket Attack
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz:
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.