Skip to content

T1558.001 Golden Ticket

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.1 Golden tickets enable adversaries to generate authentication material for any account in Active Directory.2

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.3

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.4 The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.

Item Value
ID T1558.001
Sub-techniques T1558.001, T1558.002, T1558.003, T1558.004
Tactics TA0006
Platforms Windows
Permissions required User
Version 1.1
Created 11 February 2020
Last Modified 05 November 2020

Procedure Examples

ID Name Description
S0363 Empire Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.9
G0004 Ke3chang Ke3chang has used Mimikatz to generate Kerberos golden tickets.12
S0002 Mimikatz Mimikatz‘s kerberos module can create golden tickets.1011
S1071 Rubeus Rubeus can forge a ticket-granting ticket.8

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.7
M1026 Privileged Account Management Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

Detection

ID Data Source Data Component
DS0026 Active Directory Active Directory Credential Request
DS0028 Logon Session Logon Session Metadata

References