MITIGATIONS
1) SMB Signing should be enforced! This will prevent credential relay attempts
2) Sufficient security controls to protect Tier 0 infrastructure and accounts in child domains ( Could result to compromise of the entire forest)
3) Secure AD Certificate Services and AD Objects (and more AD Services are considered part of the attack surface)
4) Principle of least privilege
5) No configuration should break the tiering model
Last updated