When hearing Golden Ticket, you may think of gaining full access to a certain secretive chocolate factory. But a Golden Ticket attack on your Active Directory (AD) is far from a prize. Like the story’s famous ticket, a successful attack grants an attacker potentially unlimited access to your organization’s Active Directory domain.
Exploiting weaknesses in Kerberos authentication, a Golden Ticket attack targets the Key Distribution Service Account (KRBTGT) of the Key Distribution Center (KDC). Instead of authenticating every request, Kerberos creates a ticket-granting ticket (TGT) assigned to the user to subsequently craft ticket-granting service (TGS) tickets. TGS tickets avoid repetitive credential prompts, as other applications see those tickets as authenticated requests.
Though convenient for the user, this does open the possibility that a successful attack forging TGS tickets allows an attacker to grant authentication tickets of any access level. With these Golden Tickets in hand, any Kerberos-authenticated system is vulnerable.
The difference a Golden Ticket makes
Many cyber-attacks center around stealing a user’s password. Whether through fake login forms or stolen password hashes cracked offline, the common denominator is the password itself.
Stolen credentials may only work until the compromised account is discovered and the password rotated. In addition, cracking passwords offline may only be possible through prohibitive use of computation time. The stolen user credential may not even have access to anything useful.
By forging TGS tickets, the attacker bypasses the need to steal a specific account or crack a password. A successful Golden Ticket attack grants any level of access.
Breaching the Active Directory walls
Golden Ticket attacks are more complex than some other cyber-attacks. The threat actor must have access to a domain controller and retrieve the KRBTGT password hash. Notably, this attack does not require access to the KRBTGT password itself, as the password hash can be used to compromise this service.
First, the threat actor must gain access to the network. Often this may be done through a targeted phishing attack via an email to an administrative user. Stolen credentials from a previous data breach may also be purchased online.
Next, reconnaissance occurs to find access to a Domain Controller through an exploit or a user with direct access. Finally, with domain controller access in place, a successful attack takes control of the KRBTGT password hash and grants the Golden Ticket itself. With this in hand, unrestricted access is granted to the attacker for all Kerberos-authenticated services in the Active Directory domain.
Threat actors known to use this method are APT (Advanced Persistent Threat) groups such as "Playful Taurus," widely believed to operate from China and target governments and industries such as oil. As early as 2018 this group was observed using Mimikatz to craft Golden Tickets in target domains, which has continued to this day.
Defending the keys to the kingdom
As this attack takes several steps to perform, preventing access to the network in the first place can be an effective defense. Proper education and detection of phishing attacks mean administrators and vulnerable users can detect and stop attempts early in the kill chain. Blocking weak passwords during password changes and periodically detecting compromised passwords in Active Directory also closes a valuable attack pathway.
Not every initial attack can be stopped, so locating a compromised account or workstation on a network can stop an attack before serious harm is caused. This requires more than just up-to-date antivirus, as an organization needs to be able to spot unusual activity that gives away in-progress attacks. Signs of an attack may be network probing, inappropriate credential elevation, or pass-the-hash techniques.
If every other step has failed to detect an attack, protecting the domain controller from compromise is crucial. Locking down critical files, such as the NTDS.dit database (used in the NTDS Dump attack), alerting on credential elevation (monitoring Windows Event 4768 and 4769), and verifying every access attempt are all essential steps to making sure that a Golden Ticket attack does not succeed.
Secure your passwords with Specops
Defending against Golden Ticket attacks with only Windows and Active Directories built-in tools is challenging. With Specops Password Policy (SPP), it’s much easier to avoid the initial incursion and make escalation difficult through solid password policies. IT teams can easily use SPP to enforce longer passwords of around 20 characters that are far less vulnerable to password guessing and brute-force attacks. This is especially important for privileged accounts.
Nearly half of all breaches occur from stolen credentials, according to the recently released Verizon DBIR 2023 report. Even strong passwords can become vulnerable if compromised via a phishing attack or other form of data breach. SPP’s Breached Password Protection feature blocks the use of more than 3 billion unique compromised passwords – including those being used in attacks right now.
As noted by NIST-80063B standards, an effective password policy consists of appropriately complex passwords and using breached password detection tools. If a user enters a weak or previously stolen credential during a password change, Specops quickly guides the user towards a secure password instead.
Locking the doors to a Golden Ticket attack
A successful Golden Ticket attack is one of the worst-case scenarios for any IT department. With nearly unlimited access granted through this difficult-to-detect attack, the cost to recover may include a complete rebuild of the environment. A robust password policy and ability to detect compromised credentials is a vital first line of defense to proactively stop Golden Ticket attacks. Test out Specops Password Policy for free in your Active Directory today.