Fortifying Your Fortress with Defense Tactics Against the Golden Ticket Attack

Written by Hornetsecurity / 31.08.2023 /
Home » Blog » Fortifying Your Fortress with Defense Tactics Against the Golden Ticket Attack

What is Golden Ticket Attack

The concept of the Golden Ticket originated from a security researcher and developer named Benjamin Delpy, who is known for creating a powerful post-exploitation tool Mimikatz, a credential dumping utility capable of obtaining plaintext Windows account logins and passwords. A Golden Ticket Attack exploits Kerberos, the default authentication service for Active Directory, by extracting a user’s ticket-granting ticket (TGT) within the domain, ideally a domain admin. This malicious technique targets KRBTGT, a service account that exists in all domains in the Active directory that is used by the Key Distribution Center (KDC), responsible for issuing and managing Kerberos tickets, and the ultimate goal is to grant the attacker unrestricted access to the network that can last up to 10 years.

How a Golden Ticket Attack Works

1. Gaining Administrative privileges

For Golden Ticket Attack to occur, an adversary needs a foothold in your organization’s Active Directory by obtaining administrator-level privileges or access to a domain controller.

2. Extracting the hash

Once the threat actor has compromised a DC, the next step will be to dump the NTLM hash that is stored in NTDS.DIT file with the help of the Open-source tool Mimikatz from the Key Distribution Center (KDC), a service account that is responsible for creating an authentication token known as a Ticket granting Ticket (TGT) servicing user’s requests by requesting an authentication token used by Ticket Granting Service (TGS) for providing users accesses specific resources in the domain.

3. Forging the Golden Ticket

With the extracted hash from the KRGTGT service account, the attacker creates a forged ticket-granting ticket (TGT), known as the Golden Ticket. This forged TGT wields several critical attributes, including a falsified session key and a signature encrypted with the KRBTGT account’s password hash. The Golden Ticket allows the attacker to impersonate any user within the compromised Active Directory domain.

4. Gaining Unauthorized Access

Armed with the Golden Ticket, the attacker can pivot through the network without requiring the legitimate user’s credentials. They can request service tickets for various resources within the domain, granting them unrestricted access. The forged TGT provides a seemingly legitimate authorization token, enabling the attacker to move laterally across the network, compromise sensitive information, or perform undetected malicious activities.

5. Prolonged Persistence

Persistence is a threat actor favorite for a reason. The Golden ticket acts as a copy of the key that allows a thief passage to your house any time they want to. Unlike traditional attacks that rely on stolen credentials, the Golden Ticket remains valid until the domain’s password is changed. Typically attackers opt for shorter validity periods when forging the ticket to minimize the chances of being detected.

Strategies to Identify Golden Ticket Attacks

Logging is crucial in detecting malicious activity in an Active Directory (AD) environment, including Golden Ticket attacks. By enabling thorough logging and incorporating effective log analysis techniques, organizations can significantly enhance their ability to respond and thwart any attempts of criminal activities on time.

Monitor and analyze Kerberos-related logs, such as security event logs (Event ID 4768, 4769, 4770) and Kerberos service ticket logs (Event ID 4769). Pay attention to anomalies like the creation of excessive TGTs, TGTs issued for unusual user accounts, or unexpected usage of TGTs by a single account.

One key reason why logging is important is that it provides a detailed record of user authentication and ticket-granting activities within AD. By monitoring these logs, security teams can identify suspicious patterns or anomalies that may indicate a Golden Ticket attack in progress. For example, an unusually high number of TGT requests from a single user or repeated authentication attempts from different locations may raise red flags.

In addition, logs can reveal unauthorized modifications or accesses to the domain controller, which could indicate attempts to extract the necessary information for creating Golden Tickets. Unusual account activity, such as changes to privileged accounts or modifications to security policies, can be early indicators of a potential Golden Ticket attack.

Familiarizing yourself with the Open-Source tool Mimikatz and its functions can be a great advantage in defending your fortress against Golden Ticket attacks. Creating YARA rules for detecting Mimikatz activity can be crafted to identify specific strings, code patterns, or behaviors associated with the tool. These rules can target indicators such as specific function names, command-line parameters, or unique strings that Mimikatz generates during its execution.

How to Defend Against Golden Ticket Attacks

The first step for defending against Golden Ticket attacks is implementing the Zero-Trust model, the assumption that no user or device should be trusted unless their request is verified and authenticated. Since this form of attack requires the threat actor to have already compromised the Domain Controller, applying strict access controls and continuing authentication and verification is beneficial in combating Golden Ticket attacks.

Other key steps to consider:

  1. User awareness and training provide a great preventative measure against any form of attack against your organization. Promote phishing campaigns since 95% of attacks occur by opening a malicious email;
  2. Regularly patching and Monitoring Domain Controller account activity. Apply security patches promptly and perform continuous vulnerability scanning to be one step ahead of the attackers;
  3. Discover any Indicators of compromise (IoCs) of both the DC and KRBTGT accounts by detecting unusual behavior such as password resets, repeated authentication requests, or account lockouts;
  4. Monitor TGTs lifetime. Although threat actors like to keep Golden Tickets with short expiry to avoid detection, it is useful to pay attention to any excessive issuance of TGTs and the presence of forged tickets. A good practice is to compare the expiration times of TGTs with the usual values to identify any anomalies or abnormally long duration.

For an overall look at cybersecurity risks gained from analyzing 25 billion emails, see our free Cyber Security Report 2023.


To properly protect and train your employees against cyber security threats, use Hornetsecurity Security Awareness Service as we work hard perpetually to give our customers confidence in their Spam & Malware Protection and Advanced Threat Protection strategies. To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.


Conclusion

This VIP Pass, golden ticket attack, which takes advantage of the Kerberos authentication system, poses a significant threat to security. A fake Ticket Granting Ticket (TGT) is created using stolen domain controller login information. Golden tickets allow attackers to enter the targeted domain without restriction and get around authentication safeguards. For the purpose of identifying and reducing the dangers connected with golden ticket assaults, attentiveness, robust security procedures, and continuous surveillance are mandatory.

FAQ

What is a golden ticket attack?

This term is used metaphorically to represent the powerful and unrestricted access that a malicious actor obtains to bypass normal security measures and exercise control over the network as if they possessed the highest level of authority. Golden ticket attack is one way to retain persistence once an attacker has gained a foothold as a domain admin in Active Directory. This “Magical” ticket is created by exploiting Kerberos, an authentication protocol that allows secure communication between different entities, such as a client and a server, over an insecure network.

What are golden ticket and silver ticket attacks?

The main difference between Golden and Silver Ticket attacks is the level of access they provide within an organization. Silver ticket does not grant full domain-level access but is rather discreet by impersonating a specific user for a particular service or resource. That means Silver Ticket attacks can be created without communicating with a Domain Controller, making them stealthier.

Is a keylogger a virus?

Detecting golden ticket creation involves monitoring event logs for Event ID 4768 (Kerberos TGT request), checking for abnormal ticket lifetimes, comparing encryption types, analyzing Kerberos traffic, monitoring domain controller activity, conducting security audits and using user behavior analytics. Observance and comprehensive monitoring are key to identifying these potent security threats.

What does a keylogger do?

For Golden Ticket Attack to succeed, the threat actor must already have established administrative-access level to a domain controller. The attacker then exploits the Kerberos authentication protocol by dumping the hash of the KRBTGT service account, which is used by the Key Distribution Center service that is responsible for creating a Ticket Granting Ticket (TGT).