Tuesday, May 17, 2022

Detecting PetitPotam and other Domain Controller Account Takeovers

When you steal the certificate of a DC, you need to use it to obtain a TGT. It’s then possible to obtain the NT hash of a service account including the DC computer account. Therefore, the attack makes it possible to take over the whole domain.

What happens when you request a TGT with the DC certificate you steal?

When you request a TGT, you will provide your IP address to the DC. Since you are using the DC account from a machine that is not the DC, the TGT request event (EventID 4768) will loo…

Read More

Latest news
Related news