locked
ATA Does Not Detect Golden Ticket Attacks RRS feed

  • Question

  •  ATA 1.9 will simply not detect Golden Ticket attempts, even though I have followed the ATA deployment Guide 1.8 to the letter, I've waited 12 hours after creating the ticket to use it the second time and everything but still no alert. I have attempted this numerous times in varying methods but still NOTHING..

    Lightweight gateway is setup and is working perfectly. It correctly triggers stuff like PTH and Malicious Replication of Directory Services, but for the life of me I cannot get the Golden Ticket Alert to trigger in ANY event, after trying a variety of different ways and scenarios

    FYI I am running version 19.7312.32791

    Tuesday, August 6, 2019 4:46 PM

All replies

  • ATA detects several types of GT attacks, which one exactly did you try?

    Can you confirm there are no health alerts in the console at all?

    Tuesday, August 6, 2019 8:06 PM
  • Yes.

    I tried several different methods, including meterpreter reverse shell kiwi golden ticket generation, and running mimikatz directly on the victim's system (exactly as mentioned in the ATA guide with the parameters and everything) and both methods succeeded in my case -- only problem was ATA refused to detect them, even after waiting 12 hours to apply the ticket a second time as mentioned in the guide.

    I tried purging the tickets, rebooting and reapplying the forged tickets the second time, but still no success

    Wednesday, August 7, 2019 12:59 PM
  • so you used the same ticket during a timespan which was > 12 hrs, yet it was not detected?

    what is the kerberos lifetime policy of the domain that was attacked?

    Wednesday, August 7, 2019 9:03 PM