What is Golden Ticket Attack
How a Golden Ticket Attack Works
1. Gaining Administrative privileges
2. Extracting the hash
3. Forging the Golden Ticket
4. Gaining Unauthorized Access
5. Prolonged Persistence
Strategies to Identify Golden Ticket Attacks
Logging is crucial in detecting malicious activity in an Active Directory (AD) environment, including Golden Ticket attacks. By enabling thorough logging and incorporating effective log analysis techniques, organizations can significantly enhance their ability to respond and thwart any attempts of criminal activities on time.
Monitor and analyze Kerberos-related logs, such as security event logs (Event ID 4768, 4769, 4770) and Kerberos service ticket logs (Event ID 4769). Pay attention to anomalies like the creation of excessive TGTs, TGTs issued for unusual user accounts, or unexpected usage of TGTs by a single account.
One key reason why logging is important is that it provides a detailed record of user authentication and ticket-granting activities within AD. By monitoring these logs, security teams can identify suspicious patterns or anomalies that may indicate a Golden Ticket attack in progress. For example, an unusually high number of TGT requests from a single user or repeated authentication attempts from different locations may raise red flags.
In addition, logs can reveal unauthorized modifications or accesses to the domain controller, which could indicate attempts to extract the necessary information for creating Golden Tickets. Unusual account activity, such as changes to privileged accounts or modifications to security policies, can be early indicators of a potential Golden Ticket attack.
Familiarizing yourself with the Open-Source tool Mimikatz and its functions can be a great advantage in defending your fortress against Golden Ticket attacks. Creating YARA rules for detecting Mimikatz activity can be crafted to identify specific strings, code patterns, or behaviors associated with the tool. These rules can target indicators such as specific function names, command-line parameters, or unique strings that Mimikatz generates during its execution.
How to Defend Against Golden Ticket Attacks
- User awareness and training provide a great preventative measure against any form of attack against your organization. Promote phishing campaigns since 95% of attacks occur by opening a malicious email;
- Regularly patching and Monitoring Domain Controller account activity. Apply security patches promptly and perform continuous vulnerability scanning to be one step ahead of the attackers;
- Discover any Indicators of compromise (IoCs) of both the DC and KRBTGT accounts by detecting unusual behavior such as password resets, repeated authentication requests, or account lockouts;
- Monitor TGTs lifetime. Although threat actors like to keep Golden Tickets with short expiry to avoid detection, it is useful to pay attention to any excessive issuance of TGTs and the presence of forged tickets. A good practice is to compare the expiration times of TGTs with the usual values to identify any anomalies or abnormally long duration.