Kerberos Pass-the-Ticket Attack (AD Lab) | Detection in Microsoft Sentinel | REAL SOC Cyber Range скачать в хорошем качестве

Kerberos Pass-the-Ticket Attack (AD Lab) | Detection in Microsoft Sentinel | REAL SOC Cyber Range

In this episode, I simulate a real Kerberos Pass-the-Ticket attack inside an Active Directory lab and then switch roles to the SOC to validate detection in Microsoft Sentinel. This is not just an attack demo. This walkthrough shows the full lifecycle: • Destroying existing tickets using kdestroy • Generating and exporting a forged Kerberos ticket • Verifying tickets with klist • Executing a successful Pass-the-Ticket attack • Validating identity using whoami • Switching to the SOC perspective • Detecting activity using Event ID 4768 (TGT) • Detecting activity using Event ID 4769 (TGS) • Writing and running Sentinel queries for detection validation The goal is not exploitation. The goal is detection engineering and telemetry validation. This is how mature security teams test visibility, correlate events, and reduce blind spots. 🧠 Lab Stack: Active Directory Windows Domain Controller Attacker Machine Microsoft Sentinel (SIEM) Kerberos authentication workflow 📌 This series focuses on: Red Team simulation Blue Team detection SOC engineering Active Directory attack & defense Real-world security validation Timestamps: 00:00 Introduction 02:15 Kerberos & Pass-the-Ticket Overview 06:40 Destroying Existing Tickets (kdestroy) 09:20 Generating & Exporting Ticket 14:00 Verifying with klist 17:30 Executing Pass-the-Ticket 22:10 Validating Access 25:30 Switching to SOC View 27:00 Sentinel Detection – Event ID 4768 29:30 Sentinel Detection – Event ID 4769 32:00 Detection Engineering Breakdown If you're preparing for SOC roles, Blue Team engineering, or detection validation work, this lab series is built for you. Subscribe for the full AD Attack & Detection series. #cybersecurity #sentinel #sentinels #activedirectory #azure #cyberrange #ntlm #pass