Golden Ticket Attacks can be hard to detect, granting attackers unfettered access to networks and data. Preventing such attacks starts with practicing good security hygiene and creating an effective multilayered defense strategy to limit their potential attack surfaces.
Watch your Kerberos authentication event logs closely for any signs of abnormalities, such as TGTs that don’t correspond with Windows and an encryption type not recommended by Microsoft.
What is a Golden Ticket Attack?
The Golden Ticket Attack is an exploitative cyberattack which grants attackers nearly unrestricted access to an organization’s domain (devices, files and domain controllers) through Microsoft Active Directory if credentials from that directory are stolen and misused – this happens by exploiting weaknesses in Kerberos identity authentication protocol.
Step one of a Golden Ticket attack involves infiltrating one or more machines on the network through means such as phishing, malware downloads or even physical interference with devices. Once compromised, threat actors can use that machine to gather information about its fully qualified domain name (FQDN), security ID number and password hash value.
Once an attacker possesses this data, they can create fraudulent Kerberos Tickets Granting Temporary Access or TGTs and use these TGTs to take complete control over a network.
Organizations looking to detect Golden Ticket attacks should review event logs for suspicious activity, particularly changes to TGT timestamps. Third-party Active Directory monitoring solutions offer alerts and reports that can assist IT teams with detecting unusual behaviour. Furthermore, systems designed to minimize standing privilege and implement Zero Trust Privileged Access Management may help prevent Golden Ticket attacks altogether.
How Does a Golden Ticket Attack Work?
Golden ticket attackers employ stolen credentials to access Active Directory domain systems through various methods such as phishing or malware infection. Once they gather sufficient data on the full domain name, security identifier, KRBTGT password hash and KRBTGT password hashes — they can create a forgery TGT for unrestricted access to any given domain.
Golden Ticket attacks take advantage of flaws in Kerberos authentication protocol used in Windows networks to gain almost unfettered access to an organization’s domain (devices, files and domain controllers) by exploiting compromised domain controllers that contain compromised krbtgt accounts. Attackers forge tickets that appear authenticated against key distribution centers (KDC), which can then be used gain entry to any domain service.
Preventing Golden Ticket Attacks begins with practicing basic cybersecurity hygiene and limiting opportunities for attackers to access privileged accounts. IT teams may also utilize identity protection solutions like Falcon to monitor Active Directory constantly for suspicious activity and detect anomalies within event logs such as TGTs with long lifetimes.
How to Detect Golden Ticket Attacks?
Hackers need your FQDN, security identifiers, password hashes and account details in order to perform a Golden Ticket attack successfully. They often gain this knowledge using phishing techniques and can then pose as authentic users when attacking.
IT teams looking to defend against Golden Ticket attacks need to implement Zero Trust enforcement and ensure access is authorized before being granted. Applying the principle of least privilege (POLP) may also help – only giving users access to resources necessary for them to complete their jobs effectively.
IT teams must regularly review logs and investigate suspicious activity with a SIEM solution, monitoring for abnormal lateral movement, tickets with long lifetimes (common in Golden Ticket attacks), privilege changes or changes in user profiles to detect Golden Ticket attacks or Golden Ticket-like activity. An extended detection and response (XDR) solution may help expedite this investigation process by collecting threat data from multiple tools in your technology stack and streamlining investigations quickly.
Monitor IT environment for suspicious activity
IT teams can use observation of suspicious network activity as an early warning indicator of Golden Ticket attacks, including authentication attempts from multiple sources or changes in security policies that were never authorized. An unusual network performance issue such as sudden slowness in devices or networks and the appearance of scans can also serve as telltale signs.
Depriving attackers of opportunities to access privileged credentials can prevent Golden Ticket attacks in the first place. IT teams should try not to grant end users administrative rights on their workstations and limit the number of domain controller service accounts with administrative rights.
Finally, adopting a Zero-Trust model that assumes no user or device should be trusted until they have been authenticated and verified can help minimize the threat of Golden Ticket attacks. In addition, employing an XDR solution which aggregates threat intelligence across an organization’s technology stack into one centralized view can speed response times while helping detect and prevent Golden Tickets before they strike.
1. TGTs with long lifetimes
Before initiating a Golden Ticket Attack, threat actors must gain initial entry by exploiting weaknesses in security. Once inside, attackers can use fraudulent TGTs to gain almost unrestricted access to domain devices, files and even domain controllers.
In order to spot Golden Ticket attacks, it’s key to keep an eye on unusual Active Directory (AD) activity and implement systems which make it harder for attackers to gain entry to privileged accounts. This may involve employing IT hygiene tools like anti-phishing solutions as a preventative measure and Zero Trust policies as means of decreasing opportunities for hackers to obtain stolen credentials.
Monitor AD events regularly, such as changes to TGT timestamps, to detect an attack in progress. Due to its complexity, however, identifying suspicious truly activity in AD event logs may be challenging – investing in an Active Directory monitoring solution with clear and detailed reporting can be advantageous as SOC teams gain a single view of threats improving response times and productivity. XDR solutions have become increasingly popular as they give SOC teams access to an all-in-one view of threats while streamlining incident response efforts and increasing productivity.
2. Aberrant domain replication activity
Golden Ticket attacks enable attackers to exploit Active Directory Key Distribution Service Account (KRBTGT). By exploiting this account, an attacker can then gain access to all domain resources via forgery and pivot around undetected within networks to gain almost unrestricted access – hence why monitoring and auditing Active Directory/Kerberos events are important in order to detect suspicious activity.
If a KRBTGT password has been changed and its TGT signature shows an arbitrary lifetime value, this could be an indicator of a Golden Ticket attack. Any unauthorised modifications made to KRBTGT accounts or suspicious DCSync activity is also likely evidence.
Utilizing an Active Directory monitoring solution with both human-led threat hunting and automated incident response workflows can help detect IoCs that could allow an attacker to steal password hashes for use in Golden Ticket attacks, as well as minimize opportunities for attackers to acquire privileged credentials from administrators on end user computers.
3. Domain controller activity
An effective Golden Ticket attack gives attackers access to devices, files and domain controllers of company networks that utilize Windows technology – similar to Willy Wonka’s Golden Ticket from his book and movie. Such attacks exploit vulnerabilities within Kerberos authentication protocol used on Windows networks.
Kerberos communication works like this: after authenticating to a DC using their username and password (or other form of authentication), that DC sends an encrypted authentication token directly to the KDC which, once received, uses it to reauthenticate domain services without repeating credential prompts for each service request.
Golden Ticket attacks involve an adversary gaining unrestricted access to IT systems and data by stealing the password hash for KRBTGT (a special hidden account which encrypts tickets) and creating ticket-granting service tickets (TGTs) using it as a weapon against other systems and data. Threat actors use Mimikatz tools such as this Golden Ticket attack in tandem with this technique in order to exfiltrate credentials before using this stolen hash to forge TGTs using stolen credentials as tools in order to create TGTs using stolen password hash hashes from stolen KRBTGT accounts encrypting tickets (KGTGT account encrypts all tickets), making access unrestricted.
While there’s no foolproof way to protect against Golden Ticket attacks, following certain best practices will significantly lower their risk. IT teams may wish to consider changing passwords for KRBTGT accounts when an employee capable of creating Golden Tickets leaves, thus eliminating the chance that former employees use counterfeit tickets to access sensitive data illegally.
4. Changes to privileges
Golden Ticket Attacks are cyber attacks that exploit vulnerabilities within the Kerberos authentication protocol used in Windows environments to gain unrestricted access to an organization’s domain, including devices, files and even domain controllers. It does this by stealing the NTLM hash of KRBTGT account which handles ticket creation and validation in a domain.
Once an attacker gains control of a KRBTGT password hash, they can create counterfeit TGTs for any account, including domain and enterprise administrators. Once presented to a KDC for validation, this fake TGT could then generate service tickets without being detected or verified by administrators.
Hackers gain long-term, covert access to networks through these vulnerabilities, giving them access to conduct ongoing surveillance or launch attacks against them. To combat this risk, it is vital that strict password policies and a robust security monitoring solution that detects changes in privileges are enforced to alert teams when any such changes arise. Also implementing least privilege access models along with periodically reviewing and revoking privileges can limit any breach impact and protect data integrity.
The Golden Ticket Attack
The Golden Ticket Attack is an innovative cyber threat that exploits weaknesses in Kerberos authentication protocol – a crucial component of Active Directory used for user authentication and authorization. Much like Willy Wonka’s golden ticket in his chocolate factory, this exploit allows attackers to gain unauthorized access to critical network resources and systems.
An attacker looking to perform a Golden Ticket attack must first gain access to a domain controller. Once inside, they can use stolen password hashes from compromised KRBTGT accounts (or any compromised account) as the basis for forging TGS tickets that allow them to elevate privileges and access other domain servers.
After gaining entry to a domain, an attacker can conduct reconnaissance on its AD infrastructure and gather valuable data such as user lists, group membership lists, and domain structure information – providing intelligence that allows for targeted attacks against it. Once an attack strategy has been devised, they can exploit vulnerabilities in AS-REP protocol using RC4-HMAC hashes that can then be brute-forced offline using brute force attack techniques – this technique works especially effectively if “Don’t use Kerberos preauthentication” enabled as this makes for simpler attacks against target domains with limited AD infrastructures.
Organizations looking to prevent Golden Ticket attacks must implement strong password policies and multi-factor authentication systems, as well as use security monitoring solutions capable of detecting abnormalities like unusual authentication patterns or ticket requests that do not fit with normative behavior. They should also follow the principle of least privilege by providing users only with privileges necessary for their job roles and reviewing and revoking any unused permissions on an ongoing basis.