A Golden Ticket attack is a kind of cyberattack targeting the access control privileges of a Windows environment where Active Directory (AD) is in use.
2. What is
Golden ticket
Attack ??
ATT&CK ID: T1558.001
• A Golden ticket attack is a post exploitation attack, and it is
meant for domain persistence.
• Adversaries who have the KRBTGT account password hash may
forge Kerberos ticket-granting tickets (TGT), also known as a
golden ticket.
• Golden tickets enable adversaries to generate authentication
material for any account in Active Directory.
• Using a golden ticket, adversaries able to request ticket
granting service (TGS) tickets, which enable access to specific
resources.
• Golden tickets require adversaries to interact with the Key
Distribution Center (KDC) in order to obtain TGS.
3. Before diving into Golden ticket attack, lets quickly
recap on how Kerberos authentication works !
• User workstation: Begins the communication for a
authentication server request.
• Key Distribution Center (KDC): KBRTGT account acts as a
service account for the Key Distribution Center (KDC) and
separated into three parts: Database (db), Authentication
Server (AS) and Ticket Granting Server (TGS).
• Authentication Server (AS): Verify client authentication. If
the logged user is authenticated successfully the AS issues a
ticket called TGT.
• Ticket Granting Ticket (TGT): confirms to other servers that
user has been authenticated.
• Ticket Granting Server (TGS): User request for TGS from the
KDC that will be used to access the service of the application
server.
• Application Server: The server with the service the user
wants to access.
4. What is KRBTGT ?
It acts as a service account for
KDC (key distribution center)
service
KRBTGT account is created
automatically when a new
domain is created
(Default account)
This account cannot be
deleted, account name cannot
be changed, and it cannot be
enabled in Active Directory.
Every AD domain has an
associated KRBTGT account to
encrypt and sign all Kerberos
tickets for the domain. The
KRBTGT account should stay
disabled
Importantly, before sending a
TGT, the KDC encrypts it using
the password hash for the
KRBTGT account.
That password hash is shared
among all the DCs in the Active
Directory domain so that they
can read the TGTs they receive
when users request access to
various resources.
11. Work arounds
Golden ticket have lifespan of
10years or more
For previously generated golden
ticket, reset the built-in KRBTGT
account password twice, which
will invalidate any existing
golden tickets.
Consider rotating the KRBTGT
account password every 180
days.
And Restrict minimum number
of domain admins & groups
that provide logon rights to DCs.