FalconFriday — Detecting UnPACing and shadowed credentials — 0xFF1E

FalconFriday — Detecting UnPACing and shadowed credentials — 0xFF1E
When playing around with Certipy and Rubeus in a recent project, I got into the rabbit hole. Going through the attacks implemented in Certipy, I wanted to build as many solid detections as possible — essentially revisiting our earlier work on ADCS abuse detection. The rabbit hole started when I began looking into the KDC options[1], their meaning and how they were used in these tools.
I managed to squeeze out quite some high-fidelity detections, of which I want to share two today.
Cross post from medium.com, please read the full article here: