Chapter 33 Quiz: Identity & Access Security¶

B — Pass-the-Hash (PtH)

Pass-the-Hash exploits Windows NTLM authentication, which only requires the hash — not the plaintext password. An attacker who extracts NTLM hashes (from LSASS memory via tools like Mimikatz) can authenticate directly to other systems using those hashes. Mitigations include: Credential Guard, Protected Users group, disabling NTLM where possible, and local admin password rotation (LAPS).

C — Kerberoasting

Kerberoasting targets service accounts with Service Principal Names (SPNs). Any domain user can request a Kerberos TGS ticket for any SPN — the ticket is encrypted with the service account's NTLM hash. Attackers extract these tickets offline and crack them to recover the service account password. Enumerating accounts with SPNs is the first step in identifying Kerberoastable targets.

B — OAuth 2.0 is an authorization framework (access delegation); OIDC is an identity layer on top of OAuth 2.0 that adds user authentication

OAuth 2.0 was designed for access delegation (allowing app A to access resources on behalf of a user from service B) — it issues access tokens but does not specify who the user is. OIDC adds an ID Token (JWT) that contains claims about the user's identity (sub, email, name), enabling authentication. SAML is a separate, XML-based federated authentication protocol used primarily for enterprise SSO.

B — Privileged access is granted on-demand for a defined time window for a specific task, then automatically revoked

JIT access eliminates standing privilege — the most dangerous aspect of traditional PAM. Instead of permanent admin accounts that sit dormant (and can be targeted), JIT grants elevated access only when requested, for only the duration needed (e.g., 2-hour window for a specific maintenance task), with full audit logging. At expiration, access is automatically revoked. This dramatically reduces the attack surface for lateral movement.

B — Public/private key cryptography where the private key never leaves the authenticator device, and the challenge is origin-bound to the specific website

FIDO2/WebAuthn is phishing-resistant because: (1) the private key is stored in a hardware authenticator (security key or TPM) and never transmitted, and (2) the cryptographic challenge includes the site's origin (domain) — a phishing site at evil.com cannot impersonate login.example.com because the origin is embedded in the signed response. SMS OTPs (A) are phishable via real-time relay attacks.

C — DCSync

DCSync exploits the Active Directory replication protocol (MS-DRSR). An attacker with sufficient privileges (Domain Admin, Domain Controller, or accounts with Replicating Directory Changes rights) can simulate a domain controller and request password hashes for any or all users — including the KRBTGT account hash needed for Golden Ticket attacks. Detecting DCSync: alert on MS-DRSR replication requests from non-DC accounts.

B — Privilege accumulation — users accumulating excessive permissions over time through role changes and never having old access removed

Access certification (also called access review or recertification) is a periodic process where resource owners review and confirm or revoke user entitlements. Without it, users accumulate access over time as they change roles (privilege creep/accumulation), violating least privilege. Quarterly reviews ensure that access granted for previous roles is revoked when no longer needed.

B — Anomalous data exfiltration by an authenticated user outside normal working hours — consistent with a malicious insider or compromised account

UEBA correlates multiple signals: time anomaly (outside business hours), volume anomaly (47GB is far above baseline), and physical context (badge-out 3 hours prior contradicts presence in office). This pattern is consistent with either a malicious insider (data theft before resignation/termination) or a compromised account (attacker using stolen credentials after hours). Both require immediate investigation.

B — FIDO2 security keys or Windows Hello for Business configured as phishing-resistant MFA methods in Conditional Access

Entra ID supports multiple MFA methods, but only FIDO2 security keys and Windows Hello for Business are classified as phishing-resistant (they use hardware-bound, origin-bound cryptography). Authenticator app TOTP (Security Defaults) is better than nothing but is phishable via real-time adversary-in-the-middle (AiTM) proxies (e.g., Evilginx). CISA guidance mandates phishing-resistant MFA for high-assurance use cases.

B — Reset the KRBTGT account password twice in succession (allowing time between resets for replication), since active Golden Tickets remain valid until the KRBTGT password changes

A Golden Ticket is a forged TGT signed with the KRBTGT account's hash — it is valid for up to 10 years and is not tied to any user account. The only way to invalidate all outstanding Golden Tickets is to reset the KRBTGT password (which changes the signing key). It must be reset twice because DCs retain the previous password hash for replication — the second reset invalidates tickets signed with either previous key. Allow replication between resets.