locked
ATA ALERT- Kerberos Golden Ticket attack RRS feed

  • Question

  • Team,

    We had an alert on Win SERVER for Kerberos golden ticket activity, which says ticket usage was over a period of 13 hours which exceeded allowed maximum of 10 hours.

    Need help to evaluate this alert.

    1. Checked with AD team they confirmed no change in Group Policy has been made.

    Now next where else we need to check for investigation for this alert.

    Wednesday, May 23, 2018 9:47 AM

All replies

  • Hello Rahul,

    Based on the Suspicious activity guide, you can take the following actions for investigation and remediation.

    Best regards,

    Andy Liu


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 24, 2018 2:51 AM
  • Hi Andy,

    As I mentioned above we have already cross checked with Active Directory team that NO group policy has been changed.

    Now next where else we need to check for investigation for this alert.

    We need to understand what else could have triggered this alert ?


    Sunday, May 27, 2018 5:47 PM
  • Hi All,

    Any Update here how to handle these types of alerts. I have already followed above mentioned steps but no help.

    Regards,

    Rahul

    Thursday, May 31, 2018 10:50 AM
  • any Update ??????
    Friday, June 1, 2018 10:27 AM