Recently I was forwarded and article regarding how a "Golden Ticket" could be created that basically gave Administrator credentials to the DC and other Domain Assets via a specially (maliciously) crafted "Golden Ticket" {see http://blog.cobaltstrike.com/2014/05/14/meterpreter-kiwi-extension-golden-ticket-howto/
for a reference}.
My question is as follows:
If the user presents a “request” that is encrypted with a “Custom Crafted DC Ticket” that has different Session/Lifespan than is "normally created by the DC"
but is based off of a “legitimate” DC-Ticket with equivalent authenticating hash, will the Domain Asset you are attempting to connect to or the DC (if targeting it directly) re-verify the DC-Ticket with the DC (or KRBTGT) and does the DC have the ability to
verify if the ticket is valid for that user/time frame? In other words, If I set my GroupPolicy Security Settings for Kerberos Policy to: Enforce user logon restrictions = true, Maximimum lifetime of Service Ticket = 540minutes, Maximum Lifetime of user ticket
= 9hours, Maximum Lifetime of user ticket renewal = 1 day, and Maximum tolerance for computer clock synchronization = 3 minutes; would this sufficiently deter a would be hacker from utilizing the "Golden Ticket" exploit beyond a period of a single-day
(thus deflating the 10 year implication of the article)?
Secondly, shouldn't there be a way to identify if a ticket being utilized was outside of the defined Policy Management Settings; and if so, what would it look like and where?
I really appreciate any input that could aide in my understanding of this and its implications from a security perspective. Also if you know of any tools or resources that could be utilized in identifying such an exploit being utilized I would greatly appreciate the input (such as Tenable SC resources, Solarwinds, etc.)