By obtaining the password hash for the most powerful service account in Active Directory – the KRBTGT account – an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to AD.
How the Golden Ticket Attack Works
The following is a summarization of how the attack works:
- Once an attacker has obtained privileged access to an Active Directory Domain Controller (i.e. can log on interactively or remotely), they can use Mimikatz to extract the KRBTGT account’s password hash, in addition to the name and SID of the domain to which the KRBTGT account belongs
- Again using Mimikatz, the attacker generates a ticket (a “Golden Ticket”) leveraging available commands and parameters such as the User account the ticket will be created for, the Relative ID (RID) of the account being impersonated, the Groups to which the account in the ticket will belong, or a SID to be injected into the SIDHistory attribute of the account in the ticket if cross-domain authentication is desired
- Once the Golden Ticket has been generated, the attacker will perform a Pass-the-Ticket (PtT) attack by loading the ticket into the current session, providing them access to any resource connected to Active Directory
Important Notes about Golden Tickets:
- The hardest part of the overall attack for the attacker is gaining privileged access to a Domain Controller (DC). Unless the attacker is a privileged insider to begin with, they’ll likely need to employ a variety of tactics, techniques, and procedures over an undeterminable period of time in order to gain the access needed to the DC. However, once they have gained the proper level of access, the subsequent steps are relatively easy and virtually undetectable.
- Some of the previously mentioned parameters the attacker can use to generate the Golden Ticket do not have to be real. The User account name and the RID of the account can be real or fake, depending on what the attacker is looking to accomplish.
- When configuring the groups the impersonated account will belong to, Mimikatz includes the Domain Admin group by default. As a result, the ticket will be created with maximum privileges.
Watch this brief video of a Golden Ticket attack in action:
Potential Solutions and Mitigating Controls for Golden Ticket Attacks
Golden Tickets are very difficult to detect, because they are perfectly valid TGTs. However, in most cases they are created with lifespans of 10 years or more, which far exceeds the default values in Active Directory for ticket duration. Unfortunately, event logs do not log the TGT timestamps in the authentication logs, but other AD monitoring products are capable of doing so. If you do see that Golden Tickets are in use within your organization, you must reset the KRBTGT account twice, which may have other far-reaching consequences.
The most important protection against golden tickets is to restrict Domain Controller logon rights. There should be the absolute minimum number of Domain Admins, as well as members of other groups that provide logon rights to DCs such as Print and Server Operators. In addition, a tiered logon protocol should be used to prevent Domain Admins from logging on to servers and workstations where their password hashes can be dumped from memory and used to access a DC to extract the KRBTGT account hash.
Golden Ticket Resources:
Related Attacks & Concepts: