T1558.001 Golden Ticket
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.1 Golden tickets enable adversaries to generate authentication material for any account in Active Directory.2
Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.3
The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.4 The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.
| Item | Value |
|---|---|
| ID | T1558.001 |
| Sub-techniques | T1558.001, T1558.002, T1558.003, T1558.004 |
| Tactics | TA0006 |
| Platforms | Windows |
| Permissions required | User |
| Version | 1.1 |
| Created | 11 February 2020 |
| Last Modified | 05 November 2020 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| S0363 | Empire | Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.8 |
| G0004 | Ke3chang | Ke3chang has used Mimikatz to generate Kerberos golden tickets.11 |
| S0002 | Mimikatz | Mimikatz‘s kerberos module can create golden tickets.910 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration | For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.7 |
| M1026 | Privileged Account Management | Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0026 | Active Directory | Active Directory Credential Request |
| DS0028 | Logon Session | Logon Session Metadata |
References
-
Metcalf, S. (2015, August 7). Kerberos Golden Tickets are Now More Golden. Retrieved December 1, 2017. ↩
-
Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. ↩
-
Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. ↩
-
Sean Metcalf. (2014, November 10). Kerberos & KRBTGT: Active Directory’s Domain Kerberos Service Account. Retrieved January 30, 2020. ↩
-
Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. ↩
-
Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. ↩
-
UCF. (n.d.). The password for the krbtgt account on a domain must be reset at least every 180 days. Retrieved November 5, 2020. ↩
-
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩
-
Deply, B., Le Toux, V.. (2016, June 5). module ~ kerberos. Retrieved March 17, 2020. ↩
-
Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. ↩
-
Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. ↩