Golden Ticket

How to detect and mitigate Golden Ticket attacks

By obtaining the password hash for the KRBTGT account, the most powerful service account in Active Directory (AD), an attacker is able to get unlimited and virtually undetectable access to any system connected to AD.

Golden Tickets are very difficult to detect. The parameters the attacker can use to generate a Golden Ticket do not have to be real. The User account name and the Relative ID (RID) of the account can be real or fake, depending on what the attacker is looking to accomplish. When configuring the groups the impersonated account will belong to, Mimikatz includes the Domain Admin group by default. As a result, the ticket will be created with maximum privileges.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ Golden Ticket Solution

STEALTHbits’ products provide a multitude of ways to detect and mitigate the Golden Ticket attack.

Detect Golden Ticket Attack

Detection of Golden Ticket is possible by inspecting Kerberos ticket requests where the TGT lifespan values are above the allowed ranges.

APPROACH

Golden Ticket Forged Lifetime Detection

DESCRIPTION

Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Ticket and Maximum Lifetime for User Ticket Renewal values are above the values allowed in the domain policy. This will detect the majority of golden tickets, but if any users create golden tickets that are within the allowed lifespan those will not be detected. However, that largely defeats the purpose of the golden ticket to have non-expiring administrative access to the domain.

PRODUCT: StealthDEFEND

DOWNLOAD OUR COMPLETE ATTACK-TO-PRODUCT MAPPING GUIDE

Download

Mitigate Golden Ticket Attack

Creating a golden ticket requires information such as the KRBTGT account hash, which is only accessible to privileged accounts. The best mitigations to golden tickets involve restricting administrative rights to Active Directory as much as possible.

APPROACH #1

Reduce Domain Administrative Rights

DESCRIPTION

Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members.

PRODUCT: StealthAUDIT

APPROACH #2

Secure Active Directory Permissions

DESCRIPTION

Review the following Active Directory permission applied at the domain level:

  • Replicating Directory Changes
  • Replicating Directory Changes All

These rights provide attackers the ability to obtain the krbtgt hash using the DCSync technique. Remove any unnecessary permissions.

PRODUCT: StealthAUDIT

Seeing is believing.

Request a Demo

Resources

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x