STEALTHbits’ products provide a multitude of ways to detect and mitigate the Golden Ticket attack.
Detection of Golden Ticket is possible by inspecting Kerberos ticket requests where the TGT lifespan values are above the allowed ranges.
Golden Ticket Forged Lifetime Detection
Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Ticket and Maximum Lifetime for User Ticket Renewal values are above the values allowed in the domain policy. This will detect the majority of golden tickets, but if any users create golden tickets that are within the allowed lifespan those will not be detected. However, that largely defeats the purpose of the golden ticket to have non-expiring administrative access to the domain.
Creating a golden ticket requires information such as the KRBTGT account hash, which is only accessible to privileged accounts. The best mitigations to golden tickets involve restricting administrative rights to Active Directory as much as possible.
Reduce Domain Administrative Rights
Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members.
Secure Active Directory Permissions
Review the following Active Directory permission applied at the domain level:
These rights provide attackers the ability to obtain the krbtgt hash using the DCSync technique. Remove any unnecessary permissions.