🛡️Mitigations

Kerberoast

Service Account Passwords should be hard to guess (greater than 35 characters)
Use Group Managed Service Accounts which automatic changes the password periodically

Golden Ticket

Change the password of the krbtgt account twice as password history is maintained for the account.

Skeleton Keys

Running lsass.exe as a protected process is really handy as it forces an attacker to load a kernel mode driver.
Make sure that you test it thoroughly as many drivers and plugins may not load with the protection.

DSRM

Regularly change DSRM passwords on all Domain Controllers that run DSRM. Ensuring the passwords are different across controllers.
Monitor for the registry key DsrmAdminLogonBehaviour in HKLM:\System\CurrentControlSet\Control\Lsa\ being set to the value of 1 or 2.

Custom SSP

Monitor for changes of the registry HKLM:\System\CurrentControlSet\Control\Lsa\SecurityPackages

MITRE ATT&CK

MITRE ATT&CK® is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations including mitigations.

https://attack.mitre.org/

Last updated 10 months ago