2/ In our AD assessments or IR cases, we repeatedly see that service accounts are highly privileged, often also part of the domain administrators group.
This can be disastrous, especially with a weak password for the service account:
This can be disastrous, especially with a weak password for the service account:
https://twitter.com/malmoeb/status/1553006183484727298
3/ @Synacktiv took a closer look at the detection capabilities of Defender for Identity, including whether and how Kerberoasting could be detected. [1]
4/ Interestingly, the researchers found that a time-delay between the LDAP query to find accounts with an SPN and the request for the service ticket is enough to bypass the detection.
Whether this detection has been adjusted or revised in the meantime, I can't say.
Whether this detection has been adjusted or revised in the meantime, I can't say.
"DFI includes logic to detect Kerberoasting activity in your environment. By taking signals from your domain controllers, Defender for Identity can help detect users enumerating your domain looking for Kerberoast-able accounts or attempts to actively exploit those accounts." [2]
6/ A recommendation for already relatively well-secured networks is to implement Honey-SPNs.
These service accounts are never used, and an alert should be generated if a service ticket is requested for his honey-account.
These service accounts are never used, and an alert should be generated if a service ticket is requested for his honey-account.
7/ References:
[1] synacktiv.com/publications/aā¦
[2] techcommunity.microsoft.com/t5/microsoft-sā¦
[1] synacktiv.com/publications/aā¦
[2] techcommunity.microsoft.com/t5/microsoft-sā¦
ā¢ ā¢ ā¢
Missing some Tweet in this thread? You can try to
force a refresh
ć
