Publication Type
Conference Paper
Publication Date
Conference Name
Cyber and Information Security Research Workshop 2016
Conference Location
Oak Ridge, Tennessee, United States of America
Conference Sponsor
Oak Ridge National Lab
Conference Date
-
Abstract
We investigated the security resilience of the current Windows Active Directory (AD) environments to Pass-the-Hash and Pass- the-Ticket credential theft attacks. While doing this, we discovered a way to trigger the removal of all previously issued authentication credentials for a client, thus preventing their use by attackers. After triggered, the user is forced to contact the domain administrators and to authenticate to the AD to continue. This could become the basis for a response that arrests the spread of a detected attack. Operating in a virtualized XenServer environment, we were able to carefully determine and recreate the conditions necessary to cause this response.
