Microsoft Defender for Identity Alert Details
Alert ID: MDI-KERBEROS-1558-7842 Alert Time: 2024-02-21 09:30:22 EST Severity: CRITICAL (98/100) Source: Microsoft Defender for Identity Rule: “Suspected Golden Ticket Attack – Anomalous Kerberos Ticket” MITRE ATT&CK: T1558.001 – Steal or Forge Kerberos Tickets: Golden Ticket
Alert Details:
Detection: Kerberos ticket with anomalous characteristics detected
Domain Controller: DC-01 Time: 09:25 EST
Ticket Details:
User: krbtgt (KRBTGT account – used for ticket granting)
Ticket Type: TGT (Ticket Granting Ticket)
Encryption Type: RC4 (older, vulnerable encryption)
Ticket Duration: 10 years (normal is 10 hours)
Ticket Issued By: DC-01 (legitimate)
Ticket Used By: Attacker workstation (192.168.45.78)
Suspicious Activity:
09:20 – TGT issued for krbtgt account (unusual – krbtgt never normally requests tickets)
09:21 – TGT used to request service tickets for multiple resources:
CIFS/DC-01 (file access)
HOST/DC-01 (remote management)
RPCSS/DC-01 (RPC services)
LDAP/DC-01 (directory access)
MSSQLSvc/SQL-SRV-01 (database access)
09:22 – Service tickets used to access resources
09:23 – Multiple privileged actions performed:
Added user to Domain Admins group
Created scheduled task on DC-01
Dumped NTDS.dit (domain database)
Detection Logic:
krbtgt ticket never requested by users (only by domain controllers)
RC4 encryption for krbtgt ticket is anomalous (modern environments use AES)
10-year ticket lifetime is impossible under normal circumstances
Pattern matches Golden Ticket attack (forged krbtgt ticket)
Additional Context:
Attacker had previously compromised domain admin credentials
Used to create Golden Ticket with 10-year validity
Ticket grants attacker ANY access to ANY resource in domain
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify MDI alert
Microsoft Defender for Identity
Confirmed Golden Ticket attack indicators
2. Immediate Action
Reset krbtgt password twice
PowerShell (Reset-DomainControllerPassword)
krbtgt password reset (invalidates all tickets)
3. Domain Controller Isolation
Isolate DC-01
CrowdStrike, Network ACLs
DC-01 quarantined
4. Ticket Revocation
Force all tickets to be reissued
Group Policy, Reboots
All domain-joined machines rebooted
5. Attacker Hunting
Find source of ticket usage
MDI, Splunk
Attacker IP identified (192.168.45.78 – compromised engineering host)
6. Host Remediation
Isolate and clean attacker host
CrowdStrike
Engineering host isolated and cleaned
Jira Incident Report
Ticket: SOC-2024-106 Summary: T1558 – Golden Ticket Attack Compromises Domain Status: RESOLVED Resolution: MALICIOUS – krbtgt Reset, Domain Secured Priority: P1 – CRITICAL Labels: T1558, golden-ticket, kerberos, krbtgt, mdi, domain-compromise Components: Identity-Management, Domain-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Identity.
Alert: “Suspected Golden Ticket Attack – Anomalous Kerberos Ticket”.
Target: Domain Controller DC-01, krbtgt account.
Time: 2024-02-21 09:30 EST.
Technique: MITRE ATT&CK T1558.001 – Steal or Forge Kerberos Tickets: Golden Ticket.
2. Technical Analysis:
Attack Chain:
02-20 14:00 – Attacker compromises domain admin account via phishing
02-20 14:30 – Attacker dumps NTDS.dit (domain database)
02-20 14:35 – Attacker extracts krbtgt hash from NTDS.dit
02-20 15:00 – Attacker uses Mimikatz to forge Golden Ticket
02-21 09:20 – Attacker uses Golden Ticket to access DC-01
02-21 09:21 – Requests service tickets for multiple resources
02-21 09:22 – Adds user to Domain Admins, creates scheduled task
02-21 09:23 – Dumps NTDS.dit again (exfiltrated)
02-21 09:25 – MDI detects anomalous ticket
Golden Ticket Details:
User: krbtgt (forged)
Encryption: RC4 (using stolen hash)
Lifetime: 10 years (bypasses normal expiration)
Privileges: Domain Admin equivalent (can access anything)
Attacker Actions with Golden Ticket:
Added user “tempadmin” to Domain Admins group
Created scheduled task “WindowsUpdate” on DC-01 (persistence)
Dumped NTDS.dit (all domain user hashes)
Accessed multiple file servers (no data exfiltration yet)
Impact:
Full domain compromise
All user hashes potentially compromised
Attacker had persistent access via Golden Ticket
3. Investigation Findings:
Timeline:
02-20 14:00 – Initial admin compromise
02-20 14:30 – krbtgt hash stolen
02-21 09:20 – Golden Ticket used
02-21 09:25 – MDI alert
02-21 09:30 – SOC investigates
02-21 09:35 – krbtgt password reset initiated
02-21 09:40 – DC-01 isolated
02-21 10:00 – All domain machines rebooted
Indicators of Compromise (IoCs):
Network:
– Attacker source IP: 192.168.45.78 (engineering host)
Tickets:
– RC4-encrypted krbtgt ticket with 10-year lifetime
Accounts:
– tempadmin (unauthorized Domain Admin)
Scheduled Tasks:
– WindowsUpdate on DC-01
4. Containment Actions:
Immediate Actions:
Reset krbtgt password twice (standard procedure for Golden Ticket).
Isolated DC-01 from network.
Disabled tempadmin account.
Removed scheduled task from DC-01.
Forced all domain machines to reboot (clear ticket cache).
Host Remediation:
Isolated engineering host (192.168.45.78).
Full forensic analysis (found Mimikatz).
Reimaged engineering host.
Domain-Wide Actions:
All user passwords reset (as precaution).
All service account passwords reset.
All domain admin passwords reset.
5. Root Cause Analysis:
Primary Cause: Domain admin account compromised via phishing.
Contributing Factors:
No MFA on admin accounts.
krbtgt hash allowed RC4 encryption (legacy).
No monitoring for anomalous Kerberos tickets.
6. Business Impact:
Operational Impact: Domain-wide password resets, reboots, 4 hours of disruption.
Security Impact: Full domain compromise; all user hashes potentially exfiltrated.
Financial Impact: Significant (password resets, incident response, potential breach notification).
7. Remediation & Prevention:
Completed Actions:
krbtgt password reset (twice).
All user passwords reset.
All admin accounts secured with MFA.
Attacker hosts cleaned.
Technical Controls Enhanced:
Disabled RC4 encryption for Kerberos (AES only).
Enabled MDI monitoring for anomalous tickets.
Implemented JIT (Just-In-Time) access for admins.
Deployed Credential Guard on all domain-joined machines.
8. Conclusion:
An attacker compromised a domain admin, extracted the krbtgt hash, and forged a Golden Ticket granting 10 years of domain access. MDI detected the anomalous ticket within minutes, enabling krbtgt reset and containment. All user passwords were reset as precaution.
Closure Rationale: krbtgt reset; domain secured; all passwords rotated.
Analyst: [Walter White], SOC Analyst Date: 2024-02-21 11:30 EST