Page 74 - Cyber Defense eMagazine September 2022
P. 74
The name says it all
The golden ticket concept arises from the Kerberos authorization technology used by Microsoft. Kerberos
runs on a Key Distribution Center (KDC) that uses tickets to authenticate all parties, verifying their identity
through nodes. The authentication process uses conventional shared secret cryptography that prevents
attackers from reading or altering packets moving laterally across the network.
Every time the KDC authenticates a user, it issues a ticket granting ticket (TGT) with a unique session
key and timestamp for how long the session is valid. Once authenticated, the TGT serves as proof that
the user is legitimate, allowing them to access other resources within the environment. Each TGT is
encrypted with a KRBTGT password hash, which is the so-called golden ticket.
If an attacker gains access to that hash, they can create a TGT and impersonate any user for any amount
of time, giving them unfettered access across the domain. From there, they only need four pieces of
information:
• The Fully Qualified Domain Name (FQDN) of the domain
• The Security Identifier (SID) of the domain
• The username of the account they plan to impersonate
• The KRBTGT password hash
And, depending on how an organization manages privileged access, attackers can either be successful
– or be stopped in the middle of the attack. If they are successful in obtaining each one, attackers have
a golden ticket to carry out data breaches, ransomware attacks, and more.
What makes this attack so powerful and concerning is how attackers can continue abusing an identity
and moving laterally across systems with Kerberos tickets, even after the account has been flagged as
compromised and its credentials have been reset.
Strategies to defend against golden ticket attacks
Golden ticket attacks are one of the most egregious examples of these trends. With a golden ticket in
hand, hackers can appear as any user or be granted the permissions of any role in Active Directory,
giving them free rein over your environment.
While there is no way to completely prevent golden ticket attacks, there are precautions you can take to
close off this entry point from attackers. This includes:
1. Reduce the number of privileged administrators. The fewer there are, the less privileged
account exposure you risk. You can also implement “Just Enough Admin” and “Just in Time”
access for administrators to further limit privilege for those accounts and contain any attacker who
gains access to them.
Cyber Defense eMagazine – September 2022 Edition 74
Copyright © 2022, Cyber Defense Magazine. All rights reserved worldwide.