What is a Golden Ticket Attack?

Bart Lenaerts-Bergmans - July 22, 2022

A Golden Ticket attack is a malicious cybersecurity attack in which a threat actor attempts to gain almost unlimited access to an organization’s domain (devices, files, domain controllers, etc.) by accessing user data stored in Microsoft Active Directory (AD). It exploits weaknesses in the Kerberos identity authentication protocol, which is used to access the AD, allowing an attacker to bypass normal authentication.

As an increasing number of companies shift both to the cloud and a remote-first setting, the attack surface has grown beyond the traditional perimeter, with employees logging into company systems using their own devices and networks. This in turn has increased the risk that attackers will be able to break into a network and use a Golden Ticket attack to gain access.

Learn More

The Golden Ticket attack technique maps to the MITRE ATT&CK® Credential Access technique under the sub-technique Steal or Forge Kerberos Tickets. Learn more

What is the history of the Golden Ticket attack?

Golden Ticket attacks are intertwined with the open source tool Mimikatz, which is an open-source tool created in 2011 as a way to demonstrate the flaws in Microsoft Windows. It extracts credentials such as user names, passwords, hashes and Kerberos tickets. The Golden Ticket attack was named such because it exploits a vulnerability in the Kerberos authentication protocol. Just like in the book and movie Charlie and the Chocolate Factory, where the name comes from, the attack is a Golden Ticket that allows unlimited access, but instead of a well-guarded candy factory, it’s to bypass a company’s cybersecurity and gain access to its resources, files, computers and domain controllers.

How does a Golden Ticket attack work?

Typically, Kerberos authentication uses a key distribution center to protect and verify a user’s identity. With this system, the goal is to eliminate the need for multiple credential requests to the user, and instead verifies the user’s identity and assigns a ticket to the user for access. The Distribution center has the ticket-granting server, or TGS, which will connect the user to the service server. The Kerberos database contains the password of all verified users. The authentication server, or AS, performs the initial authentication of the user. If AS is verified then the user gets a Kerberos Ticket Grant Ticket, or TGT, which is proof of authentication.

How do attackers perform Golden Ticket attacks?

To carry out a Golden Ticket attack, the attacker needs the fully qualified domain name, the security identifier of the domain, the KRBTGT password hash and the username of the account they are going to access. The steps below detail how an attacker gets this information, and how they are then able to carry out the attack.

Step 1. Investigate: An attacker must already have access to the system. Often, phishing emails are used to first gain access to the system. Attackers will then investigate and gather intel like the domain name.

Step 2. Steal Access: After an attacker has access to the domain controller, they will then steal an NTLM hash of the Active Directory Key Distribution Service Account (KRBTGT). They might use techniques such as Pass-the-Hash (PtH) because unlike other credential theft attacks, this attack does not require the attacker to crack the password.

Step 3. Launch Attack: Once an attacker has the password for the KRBTGT, they can get a TGT, which then allows access to the domain controller, and verifies the identity of the server. The TGTs also grants the attacker unrestricted access to resources to assign others any domain-related tasks and allows them to create tickets.

Step 4. Retain Access: The ticket can be made valid for up to 10 years, and this type of attack is often not detected. Generally, attackers will set the tickets to be valid for a shorter period of time to further escape detection.

How to Detect Golden Ticket Attacks

There are several processes organizations should have in place to be able to detect a possible Golden Ticket attack. After Step 2 where an attacker has gained access, they can obtain login credentials for future attacks. Automated tools combined with previously discovered customer and employee information are used to find active accounts. When Kerberos is sent a TGT request without prior authentication, it will return different messages depending on if the login credentials are valid or not. Attackers take advantage of this and exploit valid credentials in possible future attacks. Security teams can look for multiple tickets that have been requested from one source without pre-authentication.

How can XDR help detect Golden Ticket attacks?

Extended detection and response (XDR) solutions collect threat data from tools across an organization’s technology stack, which helps expedite the threat hunting and response process. XDR solutions can integrate all detection and responses into one command console, enabling an organization to detect a Golden Ticket attack faster with the integrated threat data from across the technology stack.

Expert Tip

Unify detection and response across your security stack. CrowdStrike’s CrowdStrike Falcon® XDR™ extends the industry-leading endpoint detection and response (EDR) capabilities and delivers real-time multi-domain detection and orchestrated response to improve threat visibility across the enterprise, accelerate security operations and reduce risk.Download: CrowdStrike CrowdStrike Falcon® XDR Data Sheet

Tips to Prevent Golden Ticket Attacks

To prevent Golden Ticket attacks, several traditional security practices are crucial. Golden Ticket attacks are post-exploitation attacks, meaning that the environment needs to be compromised before an attacker carries out the attack. The following best practices can help prevent attackers from gaining access.

Tip 1. Secure Active Directory

A compromised endpoint or workload could put the entire enterprise at risk of a massive break. Zero Trust enforcement — never trust, always verify — aids in protecting AD and identities,  and ensures that users have been continuously verified and authorized before gaining access to any data.

Visibility into user access is imperative in this attack; the principle of least privilege (POLP) can aid in securing AD and preventing a Golden Ticket attack. This security concept ensures that users are only given the access rights that are necessary to the user’s job tasks.

Identity Protection such as Falcon Identity Threat Protection to secure an organization’s AD and reduce AD security risks. Monitoring AD constantly for any unusual behavior and putting systems in place to ensure that unauthorized users do not get access is imperative in preventing Golden Ticket attacks, versus having to respond to the attack when damage has already been done.

Tip 2. Focus on Stopping Credential Theft

Attacks like phishing emails are part of Step 1 of how a Golden Ticket attack is carried out, so make sure that staff is trained in how to spot phishing attempts to prevent attackers from gaining initial access. IT hygiene tools help ensure that all credentials are safe and passwords are changed regularly so if a system has been compromised, the attack will be detected and stopped.

Tip 3. Threat Hunting

Human-led threat hunting enables 24/7 hunting for unknown and stealthy attacks that utilize stolen credentials and are conducted under the guise of legitimate users. This type of attack can fly under the radar and escape detection by automated security tools. A Golden Ticket attack is meant to go undetected by a security system, and human-led threat hunting is crucial to identify them. Employing the expertise gained from daily “hand-to-hand combat” with sophisticated advanced persistent threat (APT) actors, threat hunting teams can finds and track millions of subtle hunting leads daily to validate if they are legitimate or malicious, alerting customers when necessary.

GET TO KNOW THE AUTHOR

Bart is Senior Product Marketing Manager of Threat Intelligence at CrowdStrike and holds +20 years of experience in threat monitoring, detection and intelligence. After starting his career as a network security operations analyst at a Belgian financial organization, Bart moved to the US East Coast to join multiple cybersecurity companies including 3Com/Tippingpoint, RSA Security, Symantec, McAfee, Venafi and FireEye-Mandiant, holding both product management, as well as product marketing roles.