This is the first in a series of posts we’re calling QOMPLX Knowledge. This series is intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our investigations as well as forensic work with customers. Look for more in our QOMPLX Knowledge series in the days and weeks ahead!
To begin our QOMPLX Knowledge series, we thought it would be good to highlight attacks on Microsoft’s Active Directory platform. As we noted in our recent “ManyKatz” report: AD attacks are a common thread in many of the most high profile breaches in recent years. We also decided it would be good to “start at the top,” with one of the most widely used, potent and potentially damaging AD attacks around: so-called Kerberos “Golden Ticket” attacks.
- A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to forge valid Kerberos Ticket Granting Tickets (TGTs). This gives the attacker access to any resource on an Active Directory Domain (thus: a “Golden Ticket”).
- Golden Ticket Attacks give attackers unfettered access to networked resources and the ability to forge new tickets, allowing them to reside on networks indefinitely by being disguised as credentialed administrator-level users.
- Domain administrators must have the ability to monitor for the tell-tale signs of these stealthy Active Directory attacks. Fast, accurate, and deterministic detection of Active Directory hacks of the kind QOMPLX’s technology makes possible, is the best way to spot attacks on Active Directory early.
The History of the Golden Ticket Attack
The emergence of Golden Ticket Attacks is tied closely to the development of one tool: Mimikatz.
Introduced by French researcher Benjamin Delpy in 2011, Mimikatz was created to demonstrate vulnerabilities in Microsoft’s Active Directory platform. Its features give penetration-testers an easy way to harvest (or “dump”) credentials from a target network and also provides tools to aid in forging credentials.
Three years later, Delpy demonstrated a proof-of-concept Golden Ticket attack and introduced the Golden Ticket Attack as a feature in Mimikatz, dramatically lowering the barrier to entry for attacks against enterprise identity infrastructures. Other post-exploitation toolkits, including CrackMapExec have likewise brought Active Directory attacks into the mainstream, enabling even low skill hacking groups to deploy them for network reconnaissance and lateral movement.
The Golden Ticket Attack is particularly devastating because it allows attackers to forge Kerberos Ticket Granting Tickets (TGTs) by compromising the KRBTGT service that generates and validates Kerberos tickets within Active Directory. Active Directory is the central hub of enterprise authentication; the Golden Ticket Attack subverts the decades-old Kerberos authentication protocol, enabling attackers to easily escalate privileges and move laterally on enterprise networks without triggering alerts.
How Golden Ticket Attacks Work
Golden Ticket Attacks are post-exploitation attacks. That means that a threat actor must already have compromised a target in the environment before they can launch a Golden Ticket Attack. This initial compromise may involve the use of a phishing email campaign, an exploitation of a vulnerable or misconfigured, public facing IT asset, or a malware infection—targeted or otherwise.
Whatever the circumstances, once an attacker has a foothold on a network, they can start laying the groundwork for a Golden Ticket Attack. This involves:
- Reconnaissance to gather information about the domain, such as the domain name and domain security identifier (SID), both of which are relatively easily obtained by a whoami command on Windows.
- Acquisition of local administrator-level access to the domain controller in order to steal an NTLM hash of the Key Distribution Service account (KRBTGT). An attacker may obtain access to the Domain Controller, and then run a tool such as Mimikatz to harvest the credential. Optionally, attackers might use other password-grabbing attacks such as Pass-the-Hash or DC Sync to obtain the KRBTGT password hash from the domain controller without first authenticating to it.
- With the password hash for the Key Distribution Service account, the Golden Ticket Attack can be launched. Mimikatz creates a relative ID (RID) in Active Directory, supplies an account username for impersonation, and ultimately, obtains a Kerberos Ticket Granting Ticket (TGT), which gives the threat actor access to the domain controller as a domain administrator. These privileges allow the attacker access to any domain, group, or resource on the network.
- An attacker can set the ticket to be valid for any time period, up to 10 years (tickets are generally valid only for a few hours) granting them indefinite persistence as a legitimate user with a valid ticket that is virtually undetectable because it does not appear to be malicious traffic. However, sophisticated attackers with “Golden Ticket” access may choose not to employ extended validation periods so as to avoid detection.
How to Stop Golden Ticket Attacks
Attackers who have forged a Kerberos “Golden Ticket” are difficult to spot from the background noise of network activity. That is because they are moving about the network and accessing resources with a valid TGT Kerberos encrypted and signed by the domain Kerberos account (KRBTGT). Still, Golden Ticket attacks can be identified and stopped. Here are very basic steps to mitigate Golden Ticket Attacks:
Prevent Attacks with Patching
Stop compromises before they happen by reinforcing security education awareness, including training about password reuse and phishing attacks, and conducting vigilant patch management
Enforce User Least Privilege
Rely on a least-privilege model to restrict user and domain administrator access; limit the number of administrator accounts
Monitor and Reset Kerberos TGTs
Monitor for TGTs that exceed the default lifespan recommended for Active Directory: a maximum of 10 hours for a user ticket. However, note that sophisticated attackers don’t set incredible ticket times. Detections tied to these types of Mimikatz “default configuration” artifacts are unlikely to be presented by a more sophisticated adversary. If you are alerted to a Golden Ticket on your network, you must reset the KRBTGT service twice: once to generate a new key and a second time to delete the compromised key.
Validate the Kerberos Protocol
However, to actually defend against Golden Ticket Attacks, external validation of the Kerberos protocol is required to assure that every ticket presented by a Kerberos principal (i.e. service client) was in fact issued by a legitimate key distribution center.
Enterprises need to shore up the security of their critical infrastructure including—but especially—Active Directory and MIT Kerberos environments on Linux. Ensuring that their authentication systems have not been subverted ensures that other security controls, tools, and processes continue to operate as intended.
Real-time analytics with external stateful validation means that Kerber-ized applications can still be authenticated with confidence. However, no analytics can offer similar levels of confidence for NTLM.
QOMPLX makes it faster and easier for organizations to integrate disparate internal and external data sources across the enterprise via a unified analytics infrastructure that supports better decision-making at scale.
There are a number of great resources out there to understand more about Golden Ticket attacks. Check out:
How Active Directory Attacks went Mainstream
QOMPLX: The Importance of Lateral Movement Detection
Detecting Forged Kerberos Ticket (Golden and Silver Ticket) Use In Active Directory
Black Hat 2014: “Abusing Microsoft Kerberos: Sorry You Guys Don’t Get It”