Hunting for Golden Ticket Attacks

Understanding, Detection, and Mitigation

A Golden Ticket Attack is a sophisticated and high-impact Active Directory (AD) attack. By forging a Ticket Granting Ticket (TGT) using the compromised krbtgt account hash, attackers can impersonate any user, including Domain Admins, and gain unrestricted access to domain resources.

Attack Overview

Prerequisites

  • The attacker must have Domain Admin privileges to extract the krbtgt account hash.

  • Tools like Mimikatz are used to dump the krbtgt hash and forge a TGT.

Execution Steps

  1. Dump krbtgt Hash:

    • Use Mimikatz to extract the krbtgt hash:

      lsadump::lsa /inject /name:krbtgt

  2. Create and Inject Golden Ticket:

    • Generate a forged TGT with Mimikatz:

      kerberos::golden /User:Administrator /domain:CYBERCONSULTING.org /sid:S-1-5-21-XXXX /id:502 /krbtgt:<krbtgt_hash> /ptt

    • This ticket is injected into memory, giving the attacker complete domain access.

  3. Post-Compromise Actions:

    • Use klist to view Kerberos tickets.

    • Access privileged domain resources, such as C$ admin shares on Domain Controllers.

Detection Techniques

Detecting Golden Ticket attacks is challenging due to the use of valid credentials. However, specific anomalies in logs can help.

Key Events to Monitor

1. Event ID 4769: Kerberos Service Ticket Request

  • Indicators:

    • Service Name: krbtgt/<DOMAIN>.

    • Encryption Type: 0x17 (RC4) could indicate malicious activity.

    • Client Address: Requests from non-DC machines are suspicious.

2. Event ID 4624: Logon Success

  • Indicators:

    • Logon Type: 3 (Network).

    • Impersonation Level: Delegation (instead of Impersonation).

    • Security ID Mismatch: The Account Name (e.g., Administrator) differs from the krbtgt SID.

    • Account Domain: Appears as FQDN (e.g., CYBERCONSULTING.org) rather than the normal short domain name (CYBERCONSULTING).

3. Event ID 4672: Special Privilege Assignments

  • Look for logons from privileged accounts (e.g., Administrator) originating from non-administrative workstations.

Ticket Lifetime Analysis

  • Default Kerberos ticket lifetime is 10 hours. Golden Tickets often have extended lifetimes (e.g., 10 years).

  • Use klist or custom scripts to monitor and alert on abnormal ticket lifetimes.

Example Log Analysis

Suspicious Event 4769

Event ID: 4769  
Service Name: krbtgt/CYBERCONSULTING  
Client Address: 192.168.1.101 (non-DC workstation)  
Encryption Type: 0x17

Suspicious Event 4624

Event ID: 4624  
Logon Type: 3 (Network)  
Impersonation Level: Delegation  
Security ID: S-1-5-21-XXXX-502 (krbtgt SID)  
Account Name: Administrator  
Account Domain: CYBERCONSULTING.org (FQDN)  
Source Network Address: 192.168.1.101

Indicators:

  • Non-DC client requesting krbtgt service tickets.

  • Security ID and Account Name mismatch.

  • Unusual FQDN format in the Account Domain field.

Mitigation Strategies

1. Restrict Administrative Privileges

  • Enforce the least privilege principle to reduce the risk of krbtgt hash theft.

  • Limit Domain Admin accounts to essential tasks.

2. Regular Password Resets for krbtgt

  • Reset the krbtgt account password twice periodically (to invalidate old TGTs).

  • Perform this as part of routine security hygiene or after detecting suspicious activity.

3. Implement Monitoring Solutions

  • Use SIEM tools to correlate and alert on:

    • Event ID 4769 with RC4 encryption (0x17).

    • Event ID 4624 with impersonation anomalies.

  • Deploy tools like Microsoft Defender for Identity or Advanced Threat Analytics (ATA) to detect lateral movement and ticket forgeries.

4. Enable and Monitor Sysmon

  • Use Sysmon to track process creation and detect suspicious tools like Mimikatz or specific command-line usage:

    lsadump::lsa  
kerberos::golden

5. Analyze Ticket Lifetime

  • Set automated alerts for Kerberos tickets with unusual expiration times.

Key Points

Golden Ticket attacks are among the most severe Active Directory threats, granting attackers long-term control over the domain. By monitoring key event patterns, regularly rotating the krbtgt password, and leveraging advanced detection tools, organizations can significantly reduce their exposure and detect malicious activity early.

Key Takeaways:

  • Proactive Monitoring: Focus on Event IDs 4769, 4624, and ticket lifetimes.

  • Password Management: Regularly reset the krbtgt password to invalidate potential Golden Tickets.

  • Advanced Detection: Use SIEM and endpoint monitoring tools to identify anomalies and potential misuse.

PreviousHunting for NTDS Database DumpingNextHunting for NTLM Relay Attacks

Last updated