Golden Ticket
Like Willy Wonka’s chocolate factory, a golden ticket in Active Directory grants the bearer unlimited access. The security of the Kerberos protocol is rooted in the use of shared secrets to encrypt and sign messages. Some of these secrets are known to the trusted third-party (the Key Distribution Center (KDC) in Kerberos) and clients, but one in particular is known only to the KDC: the secret to the krbtgt
user, whose password hash is used to sign or encrypt Kerberos tickets issued by the KDC. In other words, compromising the krbtgt
hash allows an adversary to behave as if they were Active Directory!
Once an adversary has compromised the krbtgt
hash, they possess the golden ticket. Using it, they can mint Kerberos tickets as if they were Active Directory itself, such as: issuing tickets for users that don’t exist, adding users to groups in which they don’t belong, or issuing tickets with lifetimes far beyond the configured maximum. In effect, the adversary is Active Directory and can access any resource they choose. This capability is both extremely powerful and difficult to detect.
Threat Summary
Target:
Active Directory
ATT&CK® Tactic:
ATT&CK Technique:
Difficulty
Detect:
Hard
Mitigate:
Medium
Respond:
Hard
How Golden Ticket Works
Hover to see each step
Detect, Mitigate, and Respond
Difficulty: Hard
Like detecting other kinds of forgeries, detecting the use of a golden ticket requires analyzing Kerberos tickets for the subtle marks of manipulation. Signs and symptoms of a golden ticket include tickets with: usernames that don’t exist; modified group memberships (added or removed); username and RID mismatches; weaker-than-normal encryption types (e.g. RC4 used instead of AES-256); or, ticket lifetimes exceeding the domain maximum (domain default lifetime is 10 hours; mimikatz
default is 10 years.)
The following Windows events can be collected and analyzed to detect possible golden ticket use:
Event | Source | Information |
---|---|---|
Audit Kerberos Service Ticket Operations: Event ID 4769 | Domain Controllers |
|
Audit Group Membership: Event ID 4627 | Domain Controllers, Member Computers |
|
Audit Logon: Event ID 4624 | Domain Controllers, Member Computers |
|
Difficulty: Medium
Golden tickets abuse the very foundation of trust and security in Active Directory – the password hash of the krbtgt
user. Mitigation should thus focus on those activities that make it harder for adversaries to compromise privileged access to Active Directory.
- Do not allow users to possess administrative privileges across security boundaries. For example, an adversary who initially compromises a workstation should not be able to escalate privileges to move from the workstation to a server or domain controller. Eliminating these pathways to privilege escalation is essential.
- Reduce and eliminate sensitive privileges. For example, many organizations have service accounts with “Domain Admins” privileges. If that service account is compromised, an adversary has everything they need to extract the
krbtgt
hash. - Change the password for the
krbtgt
user on a regular schedule, and after any changes in personnel responsible for Active Directory administration. Since both the current and previous password of thekrbtgt
user are used by the KDC to validate Kerberos tickets, the password must be changed twice, approximately 12-24 hours apart to prevent potential service disruptions.
Difficulty: Hard
An adversary with a golden ticket is one of the more difficult things to respond to and recover from. It can take weeks of planning and effort to complete all of the activities necessary to ensure a) you fully eradicate the attacker’s presence and persistence mechanisms, and b) make the necessary changes to ensure they cannot reuse the prior attack path to regain access.
- Activate the incident response process and alert the incident response team.