Skip to content

T1558 Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).1 Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.2

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the “ccache”. The credentials are stored in the ccache file while they remain valid and generally while a user’s session lasts.3 On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in /var/lib/sss/secrets/secrets.ldb as well as the corresponding key located in /var/lib/sss/secrets/.secrets.mkey. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for Pass the Ticket. The ccache file may also be converted into a Windows format using tools such as Kekeo.456

Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller’s environment to determine access. The storage location for these ccache entries is influenced by the /etc/krb5.conf configuration file and the KRB5CCNAME environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using kinit, klist, ktutil, and kcc built-in binaries or via Apple’s native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user’s TGT or Service Tickets.78

Item Value
ID T1558
Sub-techniques T1558.001, T1558.002, T1558.003, T1558.004
Tactics TA0006
Platforms Linux, Windows, macOS
Permissions required User, root
Version 1.4
Created 11 February 2020
Last Modified 30 March 2023

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.16
M1041 Encrypt Sensitive Information Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.14
M1027 Password Policies Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.14 Also consider using Group Managed Service Accounts or another third party product such as password vaulting.14
M1026 Privileged Account Management Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Credential Request
DS0017 Command Command Execution
DS0022 File File Access
DS0028 Logon Session Logon Session Metadata

References

  1. Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020. 

  2. Microsoft. (2021, March 3). klist. Retrieved October 14, 2021. 

  3. Massachusetts Institute of Technology. (n.d.). MIT Kerberos Documentation: Credential Cache. Retrieved October 4, 2021. 

  4. Trevor Haskell. (2020, April 1). Kerberos Tickets on Linux Red Teams. Retrieved October 4, 2021. 

  5. Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021. 

  6. Benjamin Delpy. (n.d.). Kekeo. Retrieved October 4, 2021. 

  7. Cody Thomas. (2019, November 14). When Kirbi walks the Bifrost. Retrieved October 6, 2021. 

  8. Massachusetts Institute of Technology. (2007, October 27). Kerberos for Macintosh Preferences Documentation. Retrieved October 6, 2021. 

  9. Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. 

  10. Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. 

  11. Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. 

  12. Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. 

  13. Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. 

  14. Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. 

  15. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. 

  16. UCF. (n.d.). The password for the krbtgt account on a domain must be reset at least every 180 days. Retrieved November 5, 2020.