Keep Yourself from being Roasted – WST


April 9, 2020 Keep Yourself from being Roasted - WST First an attacker must use the initial user account they compromised to scan Active Directory for accounts with a SPN (Service Principal Name) set. SPN values allows Kerberos to associate a service with a logon account. Authentication attempts are then handled through ticket requests. Further details of SPN, and ticket request are beyond the scope of this WST, but one key thing to note is that the tickets are signed with an NTLM hash. Once a list of accounts is obtained, the attacker then issues a ticket request [...]