- Home
- Techniques
- Enterprise
- Steal or Forge Kerberos Tickets
- Golden Ticket
Steal or Forge Kerberos Tickets: Golden Ticket
Other sub-techniques of Steal or Forge Kerberos Tickets (3)
| ID | Name |
|---|---|
| T1558.001 | Golden Ticket |
| T1558.002 | Silver Ticket |
| T1558.003 | Kerberoasting |
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.[1] Golden tickets enable adversaries to generate authentication material for any account in Active Directory.[2]
Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.[3]
The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.[4] The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.
Procedure Examples
| Name | Description |
|---|---|
| Empire |
Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.[5] |
| Ke3chang |
Ke3chang has used Mimikatz to generate Kerberos golden tickets.[7] |
| Mimikatz |
Mitigations
| Mitigation | Description |
|---|---|
| Active Directory Configuration |
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. |
| Privileged Account Management |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. |
Detection
Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.[4][2][8]
Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[9]
Monitor for indications of Pass the Ticket being used to move laterally.
References
- Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017.
- Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
- Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
- Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account. Retrieved January 30, 2020.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
- Deply, B., Le Toux, V.. (2016, June 5). module ~ kerberos. Retrieved March 17, 2020.
- Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018.
- Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.
- Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.