Look Out for Golden Tickets
In the book Charlie and the Chocolate Factory, a young boy receives a “golden ticket” that provides him access to Willy Wonka’s chocolate factory. In a cybersecurity context, a Golden Ticket attack means a cybercriminal has gained access to an organization’s entire Active Directory (AD) domain for up to 10 years. As the name and description suggest, these attacks can be devastatingly invasive and leave a network at the attacker’s mercy for long periods of time.
A core concept in the mechanism of these attacks is the Kerberos Key Distribution Center (KDC). The KDC functions as a trusted third-party authentication service as part of every domain controller within an AD. Kerberos grants a Ticket Granting Ticket (TGT) to prove recent authentication, allowing users to access resources without constantly reauthenticating.
- The user requests a TGT from the Authentication Server encrypted with the user’s password to access a resource.
- Kerberos checks for user access rights and prepares a TGT and session key, including a timestamp to dictate the duration of a session is valid. Before being sent, the TGT is encrypted with the KRBTGT password hash (this is shared amongst all the domain controllers in the AD).
- The user then requests a service granting ticket with the TGT they received.
- The Ticket Granting Service (TGS) then verifies this request using the TGT and returns a service ticket and session key for the requested Resource Server.
- The user sends a request with this ticket and session key to the Resource Server.
- The Resource Server verifies the ticket and session key match and then grants access, thus providing mutual authentication.
During a Golden Ticket incident, attackers bypass steps 1 and 2 in the above example and forge the TGTs themselves. Forging TGTs can be done manually but is commonly done using an exploitation software called mimikatz, which needs four information parameters to forge a TGT convincingly:
- Domain name
- Domain Security Identifier (SID)
- An account with ‘Replicating Directory Changes All’ and ‘Replicating Directory Changes’ privileges enabled (typically admins)
- The KRBTGT Password hash
Assuming parameter 3 is met, the other parameters can be gathered by simple PowerShell commands and mimikatz. Running the whoami /user command, using the account provides an attacker with the domain name and domain SID. Running a DCSync attack with mimikatz will lead to the KRBTGT password hash. Mimikatz can then use this information to generate a Golden Ticket. An attacker can then access network resources as a domain administrator on any account within the domain.
Golden Ticket Attacks are hard to detect because there are many ways to gather the above parameters beyond the standard technique. Adlumin Data Science takes a practical approach to build a defense – instead of tracking an attacker’s journey to obtaining fake credentials, parsing Windows event logs for end-result signatures of a Golden Ticket attack can be more fruitful. For example, attackers will look to obfuscate their activity by reusing an existing SID with an account that may or may not have an account name similar to that of the original SID owner. Thus, evidence of SID duplication can be a warning sign.
Adlumin Data Science is developing a suite of alerts based on attack signatures like the one mentioned above—being holistically deployed as a comprehensive defense against Windows authentication exploits. Watch our announcement forums for more on this soon.
Adlumin provides a Software-as-a-Service SIEM and managed security services. Our SIEM allows ingestion from multiple and diverse data sources from Office 365 events to Windows Critical Events and Linux Syslog and those from your existing security appliances and solutions.