Golden Ticket attacks are particularly cunning. Like Kerberoasting, Golden Ticket attacks exploit the Kerberos authentication system and are one of the most severe threats to Active Directory environments. Here’s more information about this type of attack and how you can defend your Active Directory environment.
What is a Golden Ticket attack?
Golden Ticket attacks use a forged Kerberos Ticket Granting Ticket (TGT) to gain unrestricted access to services or resources within an Active Directory domain. Unlike attacks in which threat actors decipher existing tickets, Golden Ticket attackers create and use counterfeit tickets to masquerade as a user within the network.
This trick enables the attackers to obtain Kerberos service tickets for various resources. Threat actors can use this unchecked authority to infiltrate network systems, bypassing conventional access and authentication controls.
Before we dive into more detail about how these attacks work—and how you can defend Active Directory against them—you might find it useful to review cybersecurity basics.
Related reading: Reduce your Active Directory attack surface
What is Kerberos?
Kerberos is the default authentication protocol in Active Directory. This network authentication protocol uses secret-key cryptography and is crucial to ensuring that users and services can trust one another in a network environment. Kerberos uses various types of cryptographic entities, called tickets, to authenticate users or services without sending passwords across the network. (You can learn more about Kerberos and Kerberos tickets here.)
When authentication is successful, the Key Distribution Center (KDC) grants the user a Ticket Granting Ticket (TGT). TGTs authorize users to request service tickets that enable them to access applications such as file servers or databases.
What is the KRBTGT account?
The KRBTGT account, a built-in Active Directory user account, plays a vital role in the Kerberos authentication protocol. The account’s password is system generated and not automatically changed.
The KDC uses the KRBTGT account on each domain controller (DC) to encrypt TGTs with that account’s NTLM hash. When a user requests a service ticket to access a resource, the KDC uses this hash to validate the presented TGT. In other words, the KRBTGT account’s password hash is used to sign all Kerberos tickets in the domain.
The KRBTGT account is disabled for logon purposes—and should remain so. The account’s purpose is only to facilitate Kerberos authentication within the Active Directory domain. Safeguard the KRBTGT account. Compromise of the account can lead to severe security breaches, including Golden Ticket attacks.
What is Mimikatz?
Mimikatz is a powerful open-source utility, created by Benjamin Delpy. He developed the tool to experiment with Windows security and to better understand how Windows credentials are stored and transmitted across the network.
However, Mimikatz quickly became infamous in the cybersecurity community due to its potent ability to exploit various Windows security vulnerabilities. Many of these vulnerabilities revolve around how Windows handles authentication and credentials in memory.
Mimikatz is adept at extracting plaintext passwords, hashes, and Kerberos tickets from memory. Essentially, the tool is a one-stop shop for anyone who wants to compromise Active Directory security measures. Mimikatz can pull credentials and authentication tickets directly from RAM, where they can sometimes be found in plaintext form. Mimikatz can leverage these elements to bypass typical authentication procedures, granting attackers wide-reaching access within Active Directory.
Mimikatz is often used in post-exploitation scenarios. Once attackers gain a foothold in your network, they typically try to escalate their privileges or move laterally to find high-value targets.
How do Golden Ticket attacks work?
In a Golden Ticket attack, the attacker uses a tool like Mimikatz to extract the KRBTGT’s password hash. The attacker can use this hash to encrypt a forged Kerberos TGT, giving it any access or lifetime they choose. The attacker uses the hash to “prove” to the KDC that the ticket is valid. This fabricated TGT allows the attacker unrestricted access to any service or resource within an Active Directory domain.
Golden Ticket attacks involve several complex steps. These attacks require sophistication and knowledge of the inner workings of both Active Directory and Kerberos authentication. Let’s dive into the primary steps in a Golden Ticket attack.
- Domain infiltration. At this initial stage, the attacker finds a way into your organization’s network. The primary goal is to establish a foothold within the network. Detailed reconnaissance can then be carried out to understand the network topology and identify lucrative targets. Infiltration can be orchestrated through a range of strategies, including:
- Exploiting known vulnerabilities in the system
- Spear phishing campaigns that target unsuspecting employees
- Privilege escalation. Following infiltration, the attacker focuses on escalating their privileges within your network. This phase usually involves a series of tactics to gradually acquire elevated rights. The ultimate aim is to secure domain administrator privileges. These rights open the door to the core of your Active Directory environment. With domain admin privileges, the attacker has the necessary permissions to log on to a DC, target the Active Directory database (NTDS.dit file), and operate powerful tools like Mimikatz to further their objectives.
- KRBTGT hash compromise. At this pivotal juncture, the attacker compromises your domain’s KRBTGT account. By using a tool like Mimikatz to extract the KRBTGT hash, an attacker who has gained domain administrator rights can use Mimikatz to harvest the hash data from system memory or the NTDS.DIT AD database. After compromising the KRBTGT hash, the attacker can manipulate the authentication mechanism to their advantage.
- TGT creation. With the KRBTGT hash in their possession, the attacker crafts TGTs—“Golden Tickets” for any user account within the domain, including those with domain administrative privileges. These TGTs have fabricated credentials but are signed with the legitimate KRBTGT hash, making them appear genuine to the Kerberos service. The attacker now has virtually unrestricted access across the domain. They can impersonate any user and set favorable ticket properties, including exceedingly long lifespans, ensuring persistence in your environment.
- Service ticket generation. The final stage of the Golden Ticket attack involves generating service tickets from the fraudulent TGTs. Using the forged TGTs, the attacker can request service tickets for any service available within the domain, bypassing the need for further authentication. The attacker effectively gains a free pass to access any resource in the network, undetected. They can continuously generate valid service tickets that enable extensive lateral movement, data exfiltration, and further entrenchment in your network systems.
How can you defend against Golden Ticket attacks?
You can see that Golden Ticket attacks pose a persistent and stealthy threat to your organization. Certain tools and strategies can help you mitigate and defend against these pernicious attacks:
- Monitor Kerberos ticket activity
- Audit Active Directory and system logs
- Deploy endpoint security tools
- Use Credential Guard
- Carefully manage the KRBTGT account password
- Enforce the principle of least privilege
- Adopt effective identity threat detection and response (ITDR) tools and strategies
Let’s explore these methods.
Monitor anomalous Kerberos ticket activity
Keep a vigilant eye on activity surrounding Kerberos tickets within your network. Regularly scrutinize the properties and usage patterns of these tickets. Doing so can help you spot irregularities that might signal a Golden Ticket attack. For example, watch out for tickets with unusually long lifespans or tickets that grant unexpected privileges.
Audit Active Directory and system logs
Actively and routinely checking your Active Directory and system logs for suspicious activity such as:
- Unexpected privilege escalations
- Token manipulations
- Local Security Authority Subsystem Service (LSASS) memory reads
Spotting unusual access or manipulation of stored credentials can help you counteract attackers early in the attack lifecycle.
Deploy endpoint security tools
Endpoint Protection Platforms (EPP) and Endpoint Detection & Response (EDR) tools identify and block malicious tool signatures. These platforms can also detect unusual behavior that might indicate credential dumping, an act frequently seen in the early stages of a Golden Ticket attack.
Implement Credential Guard
Credential Guard, a feature in modern Windows systems, uses virtualization-based security to insulate sensitive data. The feature restricts access to this data to privileged system software only. This step can significantly deter attackers by preventing them from accessing LSASS memory to retrieve credentials.
Manage the KRBTGT account password
Change the KRBTGT account’s password twice in a row to address Kerberos’ ability to recall the last two passwords. This step can help invalidate stolen hashes, rendering them useless for creating Golden Tickets.
Enforce least privilege
The least privilege model assigns minimal access or permissions to users and systems. In short: limit rights to only what is essential for users or systems to perform their role or function. Closely monitor privileged account activities and promptly address any deviations from regular patterns.
Adopt advanced ITDR solutions
Solutions that can spot Golden Ticket usage patterns can speed attack detection. The sooner you can detect potential attacks, the sooner you can respond and mitigate damage.
Such solutions use algorithms and pattern recognition to identify when Golden Tickets are being used in the network. For example, Purple Knight and Semperis Directory Services Protector (DSP) look for indicators of exposure (IOEs) and indicators of compromise (IOCs) related to Kerberos exploitation. Better yet, DSP can automate rollback of suspicious activity in Active Directory until it can be reviewed and verified as legitimate.
Secure Active Directory to ward off Golden Ticket attacks
The audacity—and effectiveness—of the Golden Ticket attack are concerning. Attackers can use this attack not just to gain entry to your environment, but to turn themselves into super-users capable of extensive, under-the-radar network manipulation. They can access confidential data, modify user permissions, or execute malevolent tasks, all while appearing to be a legitimate network entity.
By understanding the steps involved in a Golden Ticket attack, you can be better prepared for such threats. Initial infiltration and privilege escalation are precursors to the attack’s devastating latter stages. Another precaution: Make sure to maintain a dedicated Active Directory backup, decoupled from the operating system, to defend against malware perseverance should you need to recover AD in a worst-case scenario.
Enterprises must be vigilant. Rigorous security protocols, continuous monitoring of the Active Directory attack surface, and education can help your IT and security teams recognize the early signs of a Golden Ticket attack and other Kerberos-centric exploits.