Watching the Watchdog - Protecting Kerberos Authentication With Network Monitoring

Explore advanced techniques for safeguarding Kerberos authentication through network monitoring in this Black Hat conference talk. Delve into the vulnerabilities of the Kerberos protocol, a prime target for APT attackers in Windows-based networks. Examine recent attacks like Golden Ticket, Forged PAC, and Skeleton Key, and learn novel defensive strategies to detect and counter these threats. Discover the "Diamond PAC" attack variant and its evasion techniques. Gain insights into AES vs. RC4 key derivation, TGT integrity, and PAC (Privilege Attribute Certificate) exploitation. Learn about the free "Kerberos Leash" tool, designed to implement cutting-edge detection techniques for enhanced network security.

Watching the Watchdog Protecting Kerberos
Why do Attackers Target Kerberos?
Kerberos: Stealing
The attack campaign • Attackers installed a malware on DC to authenticate as any user by using a secret password
AES vs. RC4: Key Derivation
Attacker + RC4
The Skeleton Key Malware: Kerberos
Skeleton Key Malware Detection
PAC (Privilege Attribute Certificate)
TGT Integrity
Let's Play Spot the Difference
Golden Ticket in the Wild
Diamond PAC exploit
Questions?