-----

# Bio

## � Security�Researcher/Tester�(Harris�Corp) � Former�Army�Red�Team�Operator � One�of�the�developers�of�PowerSploit � Twitter:�@obscuresec � Blog:�www.obscuresec.com


-----

-----

# Say�hello�to�krbtgt


-----

# He’s�been�here�since�the�beginning


-----

# The�Early�Years:�2001�2004


-----

# Growing�Pains:�2005�2008


-----

# Maturity�Realized:�2009�2012


-----

# Meme�Count:�1


-----

# Skeletons�in�the�Closet:�2013�2014


-----

# Meme�Count:�2

#### http://blog.gentilkiwi.com/securite/mimikatz/golden�ticket�kerberos


-----

# How�old�is�your�krbtgt hash?


-----

# Know�where�your�krbtgt hash�is?


-----

# The�point�is…

## If�your�enterprise�has�ever�been� compromised,�it�may�still�be�compromised�– even�if�you�changed�every�password.


-----

# We�scan�so�we�are�secure


-----

# Good�luck�with�that


-----

# Meme�Count:�3


-----

-----

# “Spoofed�PAC”�Attack�


-----

# “Golden�Ticket”�Attack

#### https://twitter.com/gentilkiwi/status/415147415474167808


-----

# Demo�Time


-----

# Mitigation

## � Don’t�get�owned�again � Use�RODC�where�appropriate � Upgrade�functional�level � Reset�the�krbtgt account�password�on�the� PDC�emulator�TWICE


-----

# Detection

## � Needle�in�a�hay�stack � Harder�to�detect�than�PtH � Look�for�strange�account�activity
### � Low�privileged�account�performing�privileged� actions


-----

# Thanks

## � Skip�Duckwall � Benjamin�Delpy � Joe�Bialek � Will�Peteroy � Carlos�Spicyweiner � Matt�Graeber � Many�others…


-----

# Questions?


-----