Golden Ticket (T1558.001)

Information

• Name: Golden Ticket

• ID: T1558.001

• Tactics:

• Technique:

Introduction

Golden Ticket (T1558.001) is a sub-technique within the MITRE ATT&CK framework under the broader category of "Steal or Forge Kerberos Tickets." This sub-technique involves attackers forging Kerberos Ticket Granting Tickets (TGTs) by exploiting compromised Kerberos ticket-granting service account credentials, specifically the Kerberos Key Distribution Center (KDC) account (krbtgt). With a forged Golden Ticket, adversaries can gain persistent and unrestricted access to resources within an Active Directory (AD) environment, bypassing standard authentication and authorization mechanisms.

Deep Dive Into Technique

Golden Ticket attacks exploit the Kerberos authentication protocol used in Windows Active Directory environments. Kerberos relies on a central authentication server, the Key Distribution Center (KDC), which issues Ticket Granting Tickets (TGTs) to authenticated users. The KDC account (krbtgt) password hash is used to encrypt and sign these TGTs. If adversaries manage to compromise the krbtgt account and extract its NTLM hash, they can use tools to craft forged TGTs, granting themselves elevated privileges and persistent access.

Technical execution methods and mechanisms include:

• Credential Extraction: Attackers typically require domain administrator-level privileges to dump the NTLM hash of the krbtgt account from the domain controller's memory or Active Directory database (NTDS.dit).

• Ticket Forging: With the krbtgt NTLM hash, adversaries use tools such as Mimikatz, Impacket, or Rubeus to create custom Kerberos tickets.

• Customization of Ticket Details: Attackers can specify arbitrary user privileges, group memberships, and ticket lifetimes, effectively elevating their access to domain administrator-level permissions.

• Persistence and Stealth: Golden Tickets can be crafted with long lifetimes (even years), providing persistent and stealthy access without requiring continuous interaction with the domain controller.

• Ticket Usage: Once forged, the Golden Ticket can be imported into memory, allowing attackers to authenticate and access resources across the entire domain without further authentication.

Tools commonly used for executing Golden Ticket attacks:

• Mimikatz: Widely used tool capable of extracting hashes and crafting Golden Tickets.

• Impacket: Python-based toolkit providing scripts for Kerberos exploitation.

• Rubeus: Lightweight C# toolset designed for Kerberos abuse and ticket manipulation.

When this Technique is Usually Used

Golden Ticket attacks are typically observed in advanced stages of an attack lifecycle, particularly after initial compromise and privilege escalation within a network. Scenarios and stages include:

• Post-exploitation Persistence: Attackers forge Golden Tickets to maintain persistent access even after initial detection and remediation efforts.

• Lateral Movement and Privilege Escalation: Adversaries leverage Golden Tickets to move laterally across domains and escalate privileges without repeated credential theft or exploitation.

• Advanced Persistent Threats (APTs): Sophisticated threat actors commonly employ Golden Ticket attacks to ensure long-term stealthy access to targeted networks.

• Evasion of Standard Authentication Controls: Golden Tickets bypass standard authentication mechanisms, making them attractive for attackers aiming to evade detection and logging mechanisms.

How this Technique is Usually Detected

Detection of Golden Ticket attacks requires robust monitoring and analysis of Kerberos authentication events, anomalies, and behavioral indicators. Effective detection methods and indicators of compromise (IoCs) include:

• Monitoring Authentication Logs:

  • Look for Kerberos tickets with unusually long durations or abnormal timestamps.

  • Identify tickets with anomalous user or group membership claims.

• Event Log Analysis:

  • Windows Event ID 4768 (Kerberos Authentication Ticket Requested) and Event ID 4769 (Kerberos Service Ticket Requested) may reveal anomalies, such as requests from unexpected hosts or unusual ticket lifetimes.

• Behavioral Analytics and Anomaly Detection:

  • Detect unusual patterns of account usage or abnormal access to sensitive resources.

  • Identify authentication attempts from unusual or unexpected locations, devices, or accounts.

• Endpoint Detection and Response (EDR) Tools:

  • Tools such as CrowdStrike, SentinelOne, Carbon Black, and Microsoft Defender ATP can detect in-memory credential manipulation and suspicious Kerberos ticket activities.

• Network Traffic Analysis:

  • Monitor unusual Kerberos protocol usage patterns or unexpected ticket requests.

• Periodic krbtgt Account Password Resets:

  • Regularly resetting the krbtgt account password twice in succession can invalidate existing Golden Tickets, helping to detect and mitigate attacks.

• Threat Hunting and Forensics:

  • Proactive threat hunting may uncover evidence of Golden Tickets through memory dumps, artifact analysis, or forensic investigation.

Specific Indicators of Compromise (IoCs):

• Presence of forged tickets with anomalous encryption types or ticket lifetimes.

• Unusual Kerberos ticket requests originating from unexpected endpoints.

• Suspicious NTLM hash extraction events or memory access patterns on domain controllers.

Why it is Important to Detect This Technique

Detecting Golden Ticket attacks is critical due to their severe and persistent impact on organizational security. Importance and impacts include:

• Persistent Unauthorized Access: Attackers can maintain indefinite access to sensitive resources, making early detection essential to prevent prolonged compromise.

• Privilege Escalation and Domain Compromise: Golden Tickets grant attackers unrestricted domain administrator-level privileges, enabling complete domain control and access to all sensitive data.

• Bypassing Security Controls: Golden Tickets bypass traditional authentication, authorization, and auditing mechanisms, undermining security infrastructure and visibility.

• Difficulty in Remediation: Once attackers possess a Golden Ticket, remediation efforts become challenging, often requiring extensive domain-wide password resets, krbtgt resets, and extensive forensic investigations.

• Data Breach and Exfiltration Risks: Attackers with persistent domain-level access can exfiltrate sensitive data, intellectual property, or personally identifiable information (PII), resulting in severe financial and reputational damage.

• Compliance and Regulatory Impacts: Organizations suffering from undetected Golden Ticket attacks may face regulatory penalties, compliance violations, and loss of trust from customers and stakeholders.

Early detection significantly reduces the attacker's dwell time, limits potential damage, and simplifies incident response and remediation efforts.

Examples

Real-world examples and scenarios involving Golden Ticket attacks include:

• NotPetya Attack (2017):

  • Attackers leveraged Mimikatz to extract domain administrator credentials and forged Golden Tickets to propagate ransomware across corporate networks.

  • Impact: Massive global disruption, billions of dollars in damages, significant downtime for affected organizations.

• APT29 (Cozy Bear) Activities:

  • Advanced persistent threat group APT29 has been observed utilizing Golden Ticket techniques to maintain persistent access to targeted networks, evade detection, and exfiltrate sensitive data.

  • Impact: Long-term espionage campaigns, theft of sensitive government and corporate information.

• FIN6 Financial Threat Actor:

  • FIN6 used Golden Tickets as part of their toolkit to maintain persistent and stealthy access to financial institutions, enabling large-scale payment card data theft.

  • Impact: Millions of compromised payment card records, significant financial loss, and reputational damage to targeted organizations.

• Carbanak Cybercrime Group:

  • Carbanak leveraged Golden Ticket attacks to maintain persistent access within banking networks, facilitating fraudulent transactions and theft of millions of dollars.

  • Impact: Extensive financial losses, compromised customer accounts, and undermined trust in financial institutions.

Tools commonly associated with these examples include:

• Mimikatz: Primary tool for credential extraction and ticket forging.

• Rubeus: Frequently used for ticket manipulation and stealthy Kerberos abuse.

• Impacket Scripts: Used to automate and execute Kerberos-based attacks in targeted environments.

These real-world examples highlight the significant risks and impacts associated with Golden Ticket attacks, emphasizing the importance of proactive detection, prevention, and response measures.