What is a Golden Ticket Attack and How to Prevent It?

How Does a Golden Ticket Attack Work?

Kerberos authentication uses the Kerberos Key Distribution Center (KKDC) to protect and verify a user’s identity. With this system, the goal is to eliminate the need for multiple credential requests from the user, and instead verify the user’s identity and assign a ticket to the user for access. The KKDC uses a ticket-granting server (TGS) which will connect the user to the relevant service. The authentication server (AS) performs the initial authentication of the user. If successful, the user gets a Kerberos Ticket Grant Ticket (TGT) which is proof of authentication. To carry out a Golden Ticket attack, the attacker needs the fully qualified domain name, the security identifier of the domain, the KRBTGT password hash, and the username of the account holder. The attacker will typically extract the passwords of verified users from the Kerberos database.

How to Detect Golden Ticket Attacks?

There is no simple answer to this question, as the best way to detect a Golden Ticket attack will vary depending on the organization’s specific security posture and configuration. However, some common signs that an organization is vulnerable to a Golden Ticket attack might include;

• Someone tampering with the NTDS.DIT file, which is stored on every domain controller.
• Suspicious logon attempts, such as when a user logs onto a machine with admin rights when they are supposed to be on leave.
• The use of Mimikatz, a tool that is used to extract credentials from memory and perform DCSync attacks.

How to Prevent Golden Ticket Attacks

To prevent Golden Ticket attacks, it is crucially important that you monitor and audit access to Kerberos accounts and Kerberos tickets. IT administrators can enable auditing of Kerberos authentication using the Group Policy Management Console (GPMC), which allows them to monitor events to track both failed and successful logon activity. An unusually high number of failed login attempts, for example, may indicate a possible brute force attack. You should also keep a close eye on the following;

• Domain Controller activity.
• TGT requests, including the source and number of requests.
• TGTs with long lifetimes.
• Unusual domain replication activity.
• Changes to privileges, particularly the debug privilege.

While it is theoretically possible to manually scrutinize the native server logs to identify malicious activity, it is recommended that you use a more sophisticated Active Directory security solution that will give you a clearer view of how your accounts and being accessed and used, as well as generate real-time alerts when suspicious activity is detected.

You must also make sure that you have a strong password policy, or better yet, use multi-factor authentication on all privileged accounts. Additionally, it’s recommended that you set the Maximum lifetime for a service ticket to 600 minutes to prevent user’s accessing network resources outside of their typical sign-in hours.

In addition to the preventative measures mentioned above, you may also want to consider;

• Regularly changing the KRBTGT password.
• Limiting the number of accounts that can access the KRBTGT password hash.
• Regularly scanning your network for golden tickets and purging any that are found.
• Making sure that the system clock is synchronized.
• Educating users and IT staff on potential attacks.

If you’d like to see how the Lepide Data Security Platform can help to keep Active Directory secure, schedule a demo with one of our engineers or start your free trial today.