Threat (Privilege Escalation)
Forged PAC is a privilege escalation method that allows an attacker to be able to forge the Privilege Account Certificate (PAC) in a Kerberos ticket to gain access to resources they didn’t previously have before.
How Forged PAC Works Using a Silver Ticket
Using a Golden Ticket
- An attacker gains access to a service account password or password hash using any number of methods, including Kerberoasting, DCSync, LSASS Injection or NTDS.dit Compromise.
- If attacker has a password, then they need to convert it to a password hash. This can be done using DSInternals.
- An attacker can then use the service accounts password hash to forge a Kerberos silver ticket to the service of the service account. The Mimikatz Kerberos Module can be used for this.
- An attacker will then perform a Pass-the-Ticket (PtT) attack by loading the ticket into the current session and using it to access the compromised service
- An attacker using an attack such a DCSync, LSASS Injection or NTDS.dit Extraction to gain access to the KRBTGT Password Hash
- An attacker then generates a golden ticket using a valid username and can use the /groups parameter to inject specific groups into the PAC information in the Kerberos Ticket. This can be used to compromise any resource within Active Directory (Shares/Applications/Servers/Domain Controllers).
- An attacker will then perform a Pass-the-Ticket (PtT) attack by loading the ticket into the current session and using it to access the systems they granted themselves access to
Potential Solutions and Mitigating Controls for Forged PAC Attacks
Using the Group Membership Event (EventID 4627), it is possible to see the groups that a user authenticated with. Correlation of the information in this event an actual user account could be completed by a SIEM. It could also be completed in a DIY Microsoft Solution by doing the following:
- Using Windows Event Forwarding to forward all 4627 events
- Setup PowerShell Script that does the following:
- Retrieve all group membership events
- Loop through each event and do the following:
- Find username in event
- Query AD for group membership
- Find all groups in the event and do string manipulation to remove the DOMAIN\ from the groups and remove groups that are not groups. EG: Everyone, Authenticated Users, Mandatory Label etc.
- Compare the users’ group membership names with the names from the event and look for differences.
- Output Differences found between live and event info and show what is different.
Addtional Resources Forged PAC Resources: Related Attacks & Concepts: Solutions: