Suspected identity theft (pass-the-ticket) on multiple endpoints krbtgt
User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert?
Related account: krbtgt
Suspect account: domain user
Hosts related: DC, DirectAccess server with local NPS
Source host: domain user machine
I can use the above SID and exclude but I’m hesitant as TP alerts may automatically close. I’ve several alerts like these daily.
User Kerb tkt was taken from DirectAccess always on VPN server which has local NPS then used on user computer to access multiple resources. Expected behavior observed. What conditions to use for suppressing this alert? Related account: krbtgtSuspect account: domain userHosts related: DC, DirectAccess server with local NPSSource host: domain user machine I can use the above SID and exclude but I’m hesitant as TP alerts may automatically close. I’ve several alerts like these daily. Read More
