TrickBot Steals AD Credentials – Expert Comments

A compromise of NTDS.dit is one of the worst things that can happen to an organization. Not only does it expose the hashes for user credentials that may be brute forced, it also exposes the hash for the KRBTGT account, which is the root of all authentication trust in Active Directory, enabling an attacker to create a "golden ticket." A golden ticket allows an attacker to forge authentication and authorization information, granting them hard-to-detect and unlimited access to the network. That TrickBot's creators and contributors are finding this effort worthwhile suggests that we still have lots to do to improve Active Directory privilege security. Whether a breach begins at a workstation or server, denying the attacker or malware's ability to escalate privileges to the domain controller is essential. Organizations should look to solutions that help them deploy strong identity boundaries and eliminate the "always on" standing privilege abused by adversaries -- whether they be human or malware.  Read Less