3 Modern Active Directory Attack Scenarios and How to Detect Them

The threat landscape is ever-changing and, in this deeply technical webinar, Microsoft MVP Randy Franklin Smith and STEALTHbits SVP Jeff Warren show you three Modern Active Directory Attacks and what you can do to detect them: Extracting Passwords through the Active Directory database (NTDS.dit): With so much attention paid to detecting credential-based attacks such as Pass-the-Hash (PtH) and Pass-the-Ticket (PtT), other serious attacks, like attacks focused on exfiltrating the NTDS.dit file from Active Directory Domain Controllers, are often overlooked. We’ll show you what this threat entails, how it can be performed, and then review some mitigating controls to ensure you are protected. Kerberoasting: Kerberoasting takes advantage of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs) to enable attackers to crack passwords for those SPN-based service accounts. We’ll explain what SPNs are, review Kerberos fundamentals, and take you through prevention and detection techniques, including setting up a honey pot SPN and then monitoring the Windows Security Log for event IDs 4768/4771 for that account. DCSync: We’ve all heard of using Mimikatz for pass-the-hash but one of the most useful and scary ways is with the DCSync command where attackers imitate domain controllers and ask for user password data without running any code on a domain controller. Attackers can use DCSync to get any account’s NTLM hash, including the KRBTGT account, which enables them to create Golden Tickets. We’ll show you how to detect this kind of attack with event ID 4662 and other methods.