Golden Ticket Attack
A Golden Ticket attack is a Kerberos-based cyberattack where an attacker forges authentication tickets using a stolen NTLM hash of the KRBTGT account in Active Directory. This allows them to create valid tickets granting persistent access with any privileges. Attackers use tools like Mimikatz to generate these tickets, enabling stealthy lateral movement. Mitigation includes protecting KRBTGT credentials, monitoring unusual ticket activity, enforcing least privilege, and periodically resetting KRBTGT passwords.
What is a Golden Ticket Attack?
The Golden Ticket attack allows attackers to forge a Kerberos Ticket Granting Ticket (TGT) by using the KRBTGT account's hash from Active Directory (AD). This forged TGT grants the attacker unlimited access to any service within the domain, including Domain Admin rights.
Why is Golden Ticket Attack Dangerous?
● Provides persistence in the environment, even if the attacker is discovered.
● Allows attackers to bypass authentication mechanisms and gain full control of all machines in the domain.
● Can be used offline, meaning the attacker doesn't need continuous access to the Domain Controller once the ticket is forged.
________________________________________
How Does a Golden Ticket Attack Work? (Step-by-Step)
Step 1: Attacker Gains Domain Admin Privileges
● To carry out a Golden Ticket attack, the attacker needs to compromise a Domain Admin account or gain access to the KRBTGT account hash.
● The attacker can retrieve this hash through techniques such as DCSync, Mimikatz, or extracting it from the Domain Controller's memory.
Example Command to Extract the KRBTGT Hash (Mimikatz)
mimikatz.exe
lsadump::dcsync /domain:example.com /user:krbtgt
Extracts the KRBTGT account's NTLM hash.
________________________________________
Step 2: Forge the Golden Ticket (Using the KRBTGT Hash)
● The attacker forges a TGT by using the KRBTGT account hash as part of the process. The TGT is then signed using the KRBTGT hash.
● The attacker can use the TGT to impersonate any user, including high-privileged accounts like Domain Admins.
Example Command to Create a Golden Ticket (Mimikatz)
mimikatz.exe
kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4:
Creates a forged TGT for the Administrator account, which can be used to authenticate.
Step 3: Use the Golden Ticket for Access
● The forged TGT is used to request service tickets from the KDC (Key Distribution Center) for any service within the domain.
● The attacker can use this TGT to gain full access to the domain, including administrative privileges.
Example Command to Use the Golden Ticket (Mimikatz)
mimikatz.exe
kerberos::ptt golden_ticket.kirbi
Injects the forged TGT into memory for authentication and gains access as Administrator.
________________________________________
Step 4: Maintain Persistence
● The Golden Ticket can be used for persistent access to the domain, even if the attacker's credentials are discovered or if the domain is rebooted.
● As long as the KRBTGT account's hash is not changed, the attacker can use the forged TGT at any time.
________________________________________
|
Tool |
Usage |
|
Mimikatz |
Forge and inject Golden Tickets into memory |
|
Impacket (GetUserSPNs.py, ticketer.py) |
Interact with Kerberos tickets and create forged TGTs |
|
Kerberos Exploit Kit (KeX) |
Generate Golden Tickets and perform other Kerberos attacks |
________________________________________
Example Commands for Each Tool
1. Forge a Golden Ticket with Mimikatz
mimikatz.exe
kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4:
Creates a Golden Ticket that can be used to authenticate as Administrator.
________________________________________
2. Use the Golden Ticket with Mimikatz (Pass-the-Ticket)
mimikatz.exe
kerberos::ptt golden_ticket.kirbi
Injects the Golden Ticket into memory to impersonate the user and authenticate.
________________________________________
3. Use Impacket's ticketer.py (Forge Golden Ticket)
python3 ticketer.py -domain example.com -sid S-1-5-21-1234567890-1234567890-1234567890 -rc4
Generates a Golden Ticket for the specified user.
________________________________________
How to Detect & Prevent Golden Ticket Attacks
Detection (Blue Team)
- Monitor Event ID 4769 (TGS requests) for abnormal activity or suspicious TGT requests.
- Track changes to the KRBTGT account (Event ID 4720, 4726).
- Look for unusually long ticket lifetimes—Golden Tickets can have extended expiration dates.
- Monitor Service Principal Names (SPNs) for unauthorized changes.
- Use Sysmon to log Kerberos ticket activity and correlate logs.
Prevention (Security Hardening)
- Regularly change the KRBTGT account password (recommend every 30 days).
- Implement a strong, complex password for the KRBTGT account.
- Restrict KRBTGT account access to only necessary personnel and service accounts.
- Use a Security Information and Event Management (SIEM) system to detect anomalies and suspicious ticket activity.
- Use Multi-Factor Authentication (MFA) for accessing privileged resources, including Domain Controllers.
________________________________________
Summary
● The Golden Ticket attack allows attackers to forge Kerberos TGTs and gain persistent access to any service or account in the domain.
● It requires access to the KRBTGT account's hash, which can be obtained through techniques like DCSync.
● Defenses include changing the KRBTGT password regularly, monitoring Kerberos events, and using MFA
Tools: mimikatz, Impacket