Detections
Analytics
Last Password Change on KRBTGT account
high
Language:
Description
Each Active Directory domain has a crucial account called KRBTGT that safeguards the master secret for all other secrets in the domain, making it vital to protect this account at any expense to avoid attacks such as "Golden Ticket".
Solution
Microsoft fully supports the special operation of changing the KRBTGT account password.
See Also
KRBTGT Account Password Reset Scripts now available for customers
Kerberos & KRBTGT: Active Directory's Domain Kerberos Service Account
Reset the krbtgt account password/keys
Obtaining Domain Admin from Azure AD by abusing Cloud Kerberos Trust
Indicator Details
Name: Last Password Change on KRBTGT account
Codename: C-KRBTGT-PASSWORD
Severity: High
Type: Active Directory Indicator of Exposure
- Tactic: TA0004 - Privilege Escalation
- Techniques: T1078 - Valid Accounts
- Tactic: TA0003 - Persistence
Attacker Known Tools
Gentil Kiwi: mimikatz