Golden Ticket
https://attack.mitre.org/techniques/T1558/001/
ATT&CK ID: T1558.001
Permissions Required: User
Description
A Golden ticket attack is a post compromise Active Directory attack where a compromised account such as a Domain Administrator or an account with DCSync rights, can dump the KRBTGT account hash and create a golden ticket that effectively, gives the attacker persistence and the ability to access any resource on the domain.
Every time the attacker wants to access a resource they can forge a ticket for that resource in which they can use for access.
Techniques
Mimikatz (Scenario)
The scenario for the attack is we are an attacker who has compromised the Domain Administrator account and is currently running a session under this account. We are on a fully patched Windows Server 2019 system. We have transferred Mimikatz over to the DC and have started up a shell.
Firstly, lets check our privileges on Mimikatz.
We should be good to proceed with the return value of '20'. The debug privilege allows local Administrators to attach debuggers to programs. Mimikatz uses this for processes such as LSASS. If the account did not have this access, Mimikatz would be more limited in what it is able to achieve.
We now need to pull relevant information from the KRBTGT account for us to construct the Golden Ticket attack.
From the output of this command we need the following information:
Domain SID
KRBTGT NTLM hash
After obtaining this information, we need to put it all together:
Where:
/User: Can be any user. The account does not need to exists for this.
/Domain: is the domain name
/SID: is the Domain SID
/Krbtgt: is the NTLM hash of the KRBTGT account.
id: is the RID of the administrator account which is 500 by default.
ptt: informs Mimitkaz to pass the ticket over to our next session.
We can confirm if this has worked by checking the last line of the out for:
'Golden ticket for 'Administrator @ vuln.local 'successfully submitted for current session'.
We can then create a separate command shell, using the Golden Ticket, with the following command:
With the newly created command shell, we can run the command dir
on a workstation on the network:
Empire
Methods of KRBTGT hash retrieval
DCSync
Empire
Invoke-DCSync
Resource: https://gist.github.com/monoxgas/9d238accd969550136db
NTDS.DIT
Metasploit
Mitigation
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days. [source]
Last updated