Steal or Forge Kerberos Tickets: Golden Ticket

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.[1] Golden tickets enable adversaries to generate authentication material for any account in Active Directory.[2]

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.[3]

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.[4] The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.

ID: T1558.001
Sub-technique of:  T1558
Tactic: Credential Access
Platforms: Windows
Permissions Required: User
Data Sources: Authentication logs, Windows event logs
Version: 1.0
Created: 11 February 2020
Last Modified: 31 March 2020

Procedure Examples

Name Description
Empire

Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.[5]

Ke3chang

Ke3chang has used Mimikatz to generate Kerberos golden tickets.[7]

Mimikatz

Mimikatz's kerberos module can create golden tickets.[6]

Mitigations

Mitigation Description
Active Directory Configuration

For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it.

Privileged Account Management

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

Detection

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within TGTs, and TGS requests without preceding TGT requests.[4][2][8]

Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[9]

Monitor for indications of Pass the Ticket being used to move laterally.

References