Modern technology has transformed the workplace, changing how people access data and operate in tandem with various software. The past few years especially have accelerated these changes as organizations adjusted their operations to support a sudden uptick in remote work. A large part of these changes involves the exponential increase in digital identities.
Digital identities allow users to identify themselves electronically and confirm who they are within the scope of an enterprise, software, or service. Through secured digital identities, enterprises standardize access management and authentication processes to ensure the right users see the right information.
As it stands, the digital identity surface is a dynamic one, still changing rapidly and requiring enterprises to adopt robust security solutions to protect user data. Taking advantage, threat actors are acutely aware of how reliant organizations are on this means of identification. With attacks targeting the digital identity surface increasing, it is important for enterprise security teams to understand common attack vectors and tactics affecting their scope of risk.
This blog post breaks down the Golden Ticket attack, an identity-based attack that exploits weaknesses in the Kerberos authentication protocol. Learn how this type of attack works, associated indicators of compromise, and how best to mitigate and protect against it.
Innocent Name, Powerful Attack | Golden Ticket Attacks Explained
The moniker “Golden Ticket” hails from Roald Dahl’s Charlie and the Chocolate Factory, a children’s tale in which a young boy finds a highly-coveted golden ticket pass, granting him access into Willy Wonka’s heavily guarded chocolate factory.
Despite the name’s innocent roots, a Golden Ticket attack can be devastating for the targeted enterprise if successfully carried out. Golden Ticket attacks give a threat actor unrestricted access to nearly everything in the targeted domain, including devices, folders, files, and domain controllers (DC). This type of attack exploits a weakness in the Kerberos authentication protocol, which is commonly used across global digital workforces.
According to the MITRE ATT&CK framework, these attacks involve the use of a Golden Ticket which, in this case, is a forged Kerberos ticket-granting ticket (TGT) to generate ticket granting service (TGS) tickets for any account in Active Directory.
Kerberos Communication Process | Understanding the Attack Vector
When threat actors carry out Golden Ticket attacks, they begin by logging onto a domain-joined computer with compromised user credentials and target the Kerberos communication process. It is important to understand the communication process before analyzing the methodology of the attack.
Under normal circumstances, the Kerberos authentication protocol allows users to authenticate themselves through a trusted third-party authentication service called the Kerberos Key Distribution Center (KDC). This service is typically run in each domain controller within an Active Directory (AD) domain. The Kerberos communication process follows the below steps:
The system converts a user’s password to a NTLM hash, encrypts a timestamp with the hash and sends it to the Key Distribution Center (KDC) as an authenticator in the authentication ticket (TGT) request. The Domain Controller (KDC) checks the user information such as login restrictions and group membership, and creates a TGT.
The newly-created TGT is encrypted and signed with a special account on the domain controller known as the Kerberos service (KRBTGT). Only the KRBTGT in the domain can open and read TGT data. The domain controller then grants the TGT and delivers it to the user.
The user presents the TGT and requests a Ticket Granting Service (TGS) ticket. The domain controller validates the presented TGT and creates the TGS ticket.
The domain controller encrypts the TGS using the target service account’s NTLM password hash and sends it to the user.
The user connects to the application server hosting the service on the appropriate port and presents the TGS. The service opens the TGS ticket using its NTLM password hash.
KRBTGT Account Hashes | Understanding Golden Ticket Attacks in Action
A threat actor with a valid KRBTGT account hash can create a forged Golden Ticket using an open-source tool such as Mimikatz. Actors may also use DCSync, a Mimikatz feature, to obtain the security identifier (SID) of the KRBTGT account and NTLM hash using the
command. Alternatively, threat actors use Mimikatz to retrieve the hash of the KRBTGT account from the Local Security Authority (LSA) by executing Mimikatz commands privilege::debug and lsadump::lsa /inject /name:krbtgt on the DC.