Detecting a Kerberos Golden Ticket Attack

A Golden Ticket is an open invitation for attackers to access all of an organization’s computers and servers, including Domain Controllers (DC). A Golden Ticket is a forged Kerberos Ticket-Granting Tickets (TGT) that enables attackers to generate Ticket Granting Service (TGS) tickets for any account in Active Directory and gain unrestricted access to the target resources.

How does a Golden Ticket Attack work?

Before one analyzes and studies the attacker’s playbook, it is important to understand how an attacker can use a Golden Ticket to request ticket-granting service (TGS) tickets, enabling unrestricted access to specific resources. An attacker can log on to a domain-joined computer with compromised user credentials and target the Kerberos communication process explained below:

  1. The system converts a user’s password to an NTLM hash, encrypts a timestamp with the hash, and sends it to the Key Distribution Center (KDC) as an authenticator in the authentication ticket (TGT) request. The Domain Controller (KDC) checks the user information such as login restrictions, group membership, etc., and creates a TGT.
  2. The created TGT gets encrypted and signed with a special account on the DC known as the Kerberos service (KRBTGT). Only the KRBTGT in the domain can open and read TGT data. The DC grants the TGT and delivers it to the user.
  3. The user presents the TGT and requests a Ticket Granting Service (TGS) ticket. The DC validates the presented TGT and creates the TGS ticket.
  4. The DC encrypts the TGS using the target service account’s NTLM password hash and sends it to the user.
  5. The user connects to the application server hosting the service on the appropriate port and presents the TGS. The service opens the TGS ticket using its NTLM password hash.

How do attackers perform Golden Ticket Attack?

An attacker with a valid KRBTGT account hash can create a forged Golden ticket using an Open-source tool like Mimikatz. Attackers can use DCSync, a Mimikatz feature, to obtain the Security IDentifier (SID) of the KRBTGT account and NTLM hash using the “lsadump::dcsync /user:attivo1krbtgt” command. Alternatively, Mimikatz can retrieve the hash of the KRBTGT account from the Local Security Authority (LSA) by executing Mimikatz commands “privilege::debug” and “lsadump::lsa /inject /name:krbtgt” on the DC.

The credentials section above shows valuable information like the SID and NTLM hashes. Attackers can use these hashes to create a Golden Ticket and potentially run a Pass the Ticket (PtT) attack to move laterally within an organization’s AD environment.

“kerberos::golden /user:poctest /domain:attivo1.local /sid:S-1-5-21-2087032555-2209862856-1647013465 /krbtgt:38fb5559b8b79e3657cbf45f7165a0c5 /ptt”

A couple of commands, “kerberos::list” and “kerberos::tgt,” are also supported in the Mimikatz module to retrieve all the available Kerberos tickets submitted for the current user session.

Once attackers have injected the Golden Ticket, they can have unrestricted network access to the entire DC. The following command can confirm the listing of DC admin share (C$).

Detecting a Kerberos Golden Ticket Attack and Mitigation Strategy

The Attivo Networks ADAssessor solution performs a continuous assessment of Active Directory and provides a comprehensive report on AD attacks. It detects vulnerable KRBTGT account and alerts on the potential pass-the-ticket attack.

The Attivo Networks ADSecure solution detects unauthorized queries, hides critical AD objects from the results, and inserts deceptive data in their place. These deceptive accounts lead attackers away from production assets. The solution also provides high-fidelity alerts on all attacker activities within the deception environment.

As a mitigation strategy, resetting the KRBTGT account password twice a year could minimize the chances of compromising the entire domain/forest. Security admins can also restrict domain administrators from logging on to any computer other than the domain controllers.

Conclusion

Attackers can gain unlimited access to any endpoint on the network or service. Organizations must implement comprehensive AD protection solutions to avoid attackers forging tickets and taking over complete domain dominance.

For more information, please visit: https://www.sentinelone.com/wp-content/uploads/product/adassessor/ and https://www.sentinelone.com/platform/.

References

Attivo's Identity Suite
Ready to experience Attivo Networks, the market’s leading identity security suite?