Kerberos Pass-the-Ticket Attack (AD Lab) | Detection in Microsoft Sentinel | REAL SOC Cyber Range

Описание: In this episode, I simulate a real Kerberos Pass-the-Ticket attack inside an Active Directory lab and then switch roles to the SOC to validate detection in Microsoft Sentinel.

This is not just an attack demo.

This walkthrough shows the full lifecycle:
• Destroying existing tickets using kdestroy
• Generating and exporting a forged Kerberos ticket
• Verifying tickets with klist
• Executing a successful Pass-the-Ticket attack
• Validating identity using whoami
• Switching to the SOC perspective
• Detecting activity using Event ID 4768 (TGT)
• Detecting activity using Event ID 4769 (TGS)
• Writing and running Sentinel queries for detection validation

The goal is not exploitation.
The goal is detection engineering and telemetry validation.

This is how mature security teams test visibility, correlate events, and reduce blind spots.

🧠 Lab Stack:
Active Directory
Windows Domain Controller
Attacker Machine
Microsoft Sentinel (SIEM)
Kerberos authentication workflow

📌 This series focuses on:
Red Team simulation
Blue Team detection
SOC engineering
Active Directory attack & defense
Real-world security validation

Timestamps:
00:00 Introduction
02:15 Kerberos & Pass-the-Ticket Overview
06:40 Destroying Existing Tickets (kdestroy)
09:20 Generating & Exporting Ticket
14:00 Verifying with klist
17:30 Executing Pass-the-Ticket
22:10 Validating Access
25:30 Switching to SOC View
27:00 Sentinel Detection – Event ID 4768
29:30 Sentinel Detection – Event ID 4769
32:00 Detection Engineering Breakdown

If you're preparing for SOC roles, Blue Team engineering, or detection validation work, this lab series is built for you.

Subscribe for the full AD Attack & Detection series.

#cybersecurity #sentinel #sentinels #activedirectory #azure #cyberrange #ntlm #pass