Golden Ticket Attack

The term “golden ticket attack” originates from the children’s story “Willy Wonka & the Chocolate Factory” by Roald Dahl. The winner of the golden ticket, just as in the children’s book, gains unrestricted access, only in this case we reference a cyber threat actor as obtaining full access to an often undetectable and now compromised network and claiming the Golden Ticket.

What is a Golden Ticket Attack?

A Golden Ticket attack is a sophisticated and highly dangerous cyberattack targeting the Kerberos authentication system, primarily used in Windows Active Directory environments. This attack allows hackers to generate forged authentication tokens, granting them unrestricted access to any resource in the target network.

This attack leverages a vulnerability in the way Kerberos issues Ticket-Granting Tickets (TGTs), specifically by exploiting the encryption keys used by the Kerberos Key Distribution Center (KDC) to validate these tickets.

Once an attacker has compromised the hash of the krbtgt account, which is responsible for issuing TGTs, they can forge valid authentication tickets that provide access to domain-level resources for any user within the system. These forged tickets often remain valid for an extended period, making detection and remediation challenging.

How Is a Golden Ticket Attack Executed?

This attack hinges on the attacker gaining access to the domain controller and retrieving the hash of the krbtgt account. Here’s a breakdown of the process:

1. Gaining Domain Admin Access: To initiate the attack, cybercriminals first need to obtain administrative privileges in the domain, exploiting system vulnerabilities. This can be achieved through various methods such as phishing, privilege escalation, or lateral movement attacks. Once the attacker has domain admin privileges, they can move to the next phase.
2. Dumping the krbtgt Hash or Harvesting Credentials: The krbtgt account in the Kerberos system is responsible for issuing TGTs. By using tools like Mimikatz, attackers extract the krbtgt account hash from the domain controller. This hash is critical because it allows the attacker to create valid, albeit forged, TGTs.
3. Creating the Golden Ticket: Armed with the krbtgt hash, the attacker uses tools to forge a TGT (golden ticket) that can impersonate any user on the domain, including privileged accounts like domain administrators.
4. Unrestricted Network Access: With the golden ticket, the attacker can now impersonate an administrator empowering them to access unauthorized sensitive systems, files or applications without raising any alarms. This access typically goes undetected because the forged tickets are cryptographically valid and appear legitimate to network monitoring systems.
5. Maintaining Persistence: With the golden ticket now in place, the attacker can now create backdoors, making it harder for administrators to detect or remove their presence.

How Do You Know if You’ve Been a Victim of a Golden Ticket Attack?

Detecting Golden Ticket attacks can be challenging because the forged tickets mimic legitimate Kerberos tickets. However, there are several signs that could indicate an attack:

• Extended Ticket Validity: Kerberos tickets typically have a limited lifespan (10 hours by default). If you notice tickets with unusually long expiration periods, this may be a sign of tampering.
• Anomalous Administrative Activity: Sudden and unexpected behavior from high-privilege accounts, such as accessing systems they don’t usually interact with, could signal unauthorized access.
• Inconsistent Logon Events: These attacks often involve logins from unrecognized or unusual locations or devices. Monitoring account logon events and correlating IP addresses or device IDs can help detect abnormal patterns.

Known Examples

Golden Ticket attacks have been used in several high-profile cyber incidents, often enabling long-term infiltration into corporate networks:

Sony Pictures Hack (2014): The Sony breach involved a combination of techniques, including a Golden Ticket attack that allowed hackers to maintain persistent access to Sony’s internal systems. By creating forged tickets, attackers were able to evade detection for an extended period, accessing confidential emails, business strategies, and sensitive employee data.

NotPetya Attack (2017): Although primarily known as a destructive malware attack, the NotPetya incident involved the use of a Golden Ticket to manipulate Kerberos authentication, allowing the attackers to spread across networks and deploy malicious payloads.

What is the Difference Between Kerberoasting and Golden Ticket Attacks?

While both Golden Ticket attacks and Kerberoasting exploit weaknesses in Kerberos, they differ in their objectives and methods. In Kerberoasting, attackers target service accounts by requesting Kerberos service tickets, which are encrypted with the service account’s password hash. The goal is to crack the password offline and gain access to that specific service. In contrast, a Golden Ticket attack grants an attacker total domain control by forging a TGT that impersonates any user, including privileged accounts.

What is the Difference Between Pass-the-Hash and Golden Ticket Attacks?

Pass-the-hash attacks allow attackers to authenticate by using a hashed version of a password, rather than the actual plaintext password. While both attacks provide unauthorized access, pass-the-hash is limited to the account whose hash is compromised. In contrast, a Golden Ticket attack grants indefinite access across the entire domain, allowing attackers to impersonate any account, including domain administrators, without requiring their actual credentials.

Prevention Methods

While Golden Ticket attacks are highly destructive, there are several preventive measures organizations can implement to reduce the risk:

• Reset the krbtgt Account Password Regularly: Changing the password for the krbtgt account periodically renders any previously stolen hashes invalid, limiting the attacker’s ability to reuse a golden ticket.
• Enforce Least Privilege Access: Ensure that only a minimal number of users have domain admin privileges. Reducing the number of privileged accounts makes it harder for attackers to escalate their access.
• Enable Strong Monitoring: Use security information and event management (SIEM) systems to monitor account activity, including unusual authentication events, extended ticket lifetimes, and suspicious admin behavior.
• Implement Multi-Factor Authentication (MFA): Requiring MFA for all privileged accounts adds an additional layer of security, making it more difficult for attackers to leverage stolen credentials or golden tickets.
• Network Segmentation: By segmenting your network, you can limit the spread of an attack, even if an attacker gains access to one part of the network.

How Cymulate Can Help

Cymulate’s Breach and Attack Simulation (BAS) platform continuously tests your organization’s security controls to identify weaknesses that could be exploited by attacks like Golden Ticket. By simulating various attack methods, including Kerberos exploitation, Cymulate helps security teams understand their current vulnerabilities and improve their defenses.

Cymulate’s platform can also monitor for abnormal Kerberos traffic and detect early signs of suspicious activity that might be related to a Golden Ticket attack, enabling rapid response and mitigation.

Key Takeaways

• A Golden Ticket attack gives cybercriminals virtually unlimited access to a Windows domain by forging Kerberos authentication tickets.
• The attack requires administrative access to the domain and the extraction of the krbtgt account hash, after which attackers can impersonate any user.
• Regular krbtgt password changes, strong monitoring, and implementing least privilege access are crucial for defending against this attack.
• Cymulate’s BAS platform offers continuous validation of your security posture, helping organizations defend against Golden Ticket and similar attacks.