The Golden Ticket Attack: Exploiting Kerberos in Active Directory

Abstract

The Golden Ticket attack is a post-exploitation technique targeting the Kerberos authentication protocol within Microsoft’s Active Directory (AD). By forging a Ticket Granting Ticket (TGT)—the “golden ticket”—attackers can gain persistent, unauthorized access to any resource in an AD domain without needing valid user credentials. This paper explores the mechanics of the Golden Ticket attack, its prerequisites, its devastating impact on network security, and effective mitigation strategies. Understanding this attack is crucial for securing AD environments against advanced persistent threats.

Introduction

Kerberos is the default authentication protocol in Windows Active Directory, providing secure, ticket-based authentication across a network. It relies on a trusted Key Distribution Center (KDC), hosted on Domain Controllers, to issue tickets that prove a user’s identity. A Ticket Granting Ticket (TGT) is the initial ticket issued by the KDC’s Authentication Service (AS), allowing users to request Service Tickets (STs) for specific resources.

The Golden Ticket attack leverages a compromise of the KDC’s secret key—specifically the krbtgt account’s password hash—to forge TGTs. This enables attackers to impersonate any user, including high-privileged accounts, and maintain access indefinitely. First popularized by penetration testing tools like Mimikatz, this attack has become a hallmark of advanced cyber threats. This article details its operation, prerequisites, risks, and defenses.

Reference: Microsoft Documentation – Kerberos Authentication Overview

How the Golden Ticket Attack Works

The Golden Ticket attack exploits the trust inherent in Kerberos by forging a TGT that the KDC accepts as legitimate. Here’s a step-by-step breakdown:

  1. Credential Extraction:
  • The attacker compromises a system with administrative privileges on a Domain Controller (e.g., via malware, privilege escalation, or stolen credentials).
  • Using tools like Mimikatz, the attacker extracts the NTLM hash of the krbtgt account—the service account used by the KDC to sign and encrypt TGTs.
  1. Forging the Golden Ticket:
  • With the krbtgt hash, the attacker crafts a TGT using Mimikatz’s kerberos::golden command. They specify parameters such as:
    • Domain name
    • User to impersonate (e.g., Domain Admin)
    • Ticket lifetime (default is 10 years in Windows)
    • Session key
  • The forged TGT is signed with the stolen krbtgt hash, mimicking a legitimate ticket issued by the KDC.
  1. Using the Golden Ticket:
  • The attacker injects the forged TGT into their session’s Kerberos ticket cache (e.g., via Mimikatz’s kerberos::ptt command).
  • They then request Service Tickets (STs) from the KDC’s Ticket Granting Service (TGS) for any service or resource in the domain, such as file servers or administrative consoles.
  1. Persistent Access:
  • The TGT remains valid until its expiration (up to 10 years unless restricted) or until the krbtgt password is reset, allowing persistent access without further credential theft.

Reference: Mimikatz Official Documentation

Prerequisites for a Golden Ticket Attack

The Golden Ticket attack requires specific conditions to succeed:

  • Domain Controller Compromise: The attacker must gain administrative access to a Domain Controller to extract the krbtgt hash. This can occur via vulnerabilities (e.g., CVE-2020-1472 “ZeroLogon”), malware, or stolen Domain Admin credentials.
  • krbtgt Hash Extraction: Tools like Mimikatz or DCSync (exploiting replication privileges) are needed to retrieve the krbtgt NTLM hash from the AD database (NTDS.dit).
  • Kerberos Knowledge: The attacker must understand Kerberos workflows and ticket structures to craft a valid TGT.

Reference: MITRE ATT&CK – Credential Access: T1558.001

Impact of the Golden Ticket Attack

The Golden Ticket attack has profound implications for AD security:

  • Full Domain Compromise: The attacker can impersonate any user, including Domain Admins, granting unrestricted access to all domain resources—servers, workstations, and sensitive data.
  • Persistence: The long validity of the forged TGT (up to 10 years) ensures attackers retain access even after initial detection efforts, unless the krbtgt key is reset.
  • Stealth: Since the TGT appears legitimate to the KDC, the attack generates minimal suspicious activity, evading traditional monitoring unless Kerberos-specific anomalies are tracked.
  • Data Breaches: Access to privileged accounts enables data exfiltration, ransomware deployment, or sabotage across the domain.

This attack’s severity lies in its ability to undermine the entire trust model of Active Directory, making it a favored technique in advanced persistent threat (APT) campaigns.

Real-World Context and Examples

  • NotPetya (2017): The NotPetya ransomware leveraged credential theft and Kerberos exploitation techniques, including Golden Ticket-like persistence, to spread across networks after initial compromise.
  • CVE-2020-1472 (ZeroLogon): This vulnerability allowed attackers to reset a Domain Controller’s machine account password to a blank value, facilitating krbtgt hash extraction and subsequent Golden Ticket attacks. Patched in August 2020, it highlighted the risks of KDC compromise.

Reference: Microsoft Security Advisory – CVE-2020-1472

Mitigation Strategies

Defending against the Golden Ticket attack requires proactive and reactive measures:

  1. Protect the krbtgt Account:
  • Reset the krbtgt password twice (to invalidate all existing tickets) after a suspected compromise, following Microsoft’s recommended procedure. This disrupts Golden Tickets but requires careful planning to avoid service disruptions.
  • Reference: Microsoft – Resetting the krbtgt Password
  1. Secure Domain Controllers:
  • Apply patches for vulnerabilities like ZeroLogon (CVE-2020-1472).
  • Limit Domain Controller access to trusted administrators via network segmentation and Privileged Access Management (PAM).
  1. Monitor Kerberos Activity:
  • Enable auditing of Kerberos ticket events (Event IDs 4768, 4769) and look for anomalies, such as unusual TGT lifetimes or requests from unexpected sources.
  • Use tools like Microsoft Defender for Identity to detect Golden Ticket indicators.
  1. Restrict Administrative Privileges:
  1. Limit Ticket Lifetimes:
  • Reduce the maximum TGT lifetime (default 10 hours, renewable for 7 days) via Group Policy to shorten the validity window of forged tickets.

Conclusion

The Golden Ticket attack represents a severe threat to Active Directory security by exploiting the trust inherent in Kerberos authentication. By forging a TGT with a stolen krbtgt hash, attackers can achieve persistent, domain-wide access, making it a powerful tool for post-exploitation. While the attack requires significant prerequisites—namely Domain Controller compromise—its impact justifies robust preventive measures. Organizations must secure their AD infrastructure, monitor Kerberos usage, and be prepared to reset the krbtgt key to mitigate this risk effectively. As demonstrated by real-world incidents and vulnerabilities, the Golden Ticket attack underscores the need for layered defenses in modern network security.

References

  1. Microsoft Corporation. (2021). Kerberos Authentication Overview. https://docs.microsoft.com/en-us/windows-server/security/kerberos/kerberos-authentication-overview
  2. Harmj0y (Benjamin Delpy). (n.d.). Mimikatz Wiki. https://github.com/gentilkiwi/mimikatz/wiki
  3. MITRE ATT&CK. (2023). Steal or Forge Kerberos Tickets: Golden Ticket (T1558.001). https://attack.mitre.org/techniques/T1558/001/
  4. Microsoft Security Response Center. (2020). “CVE-2020-1472: Netlogon Elevation of Privilege Vulnerability.” https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-1472
  5. Microsoft Corporation. (2016). Resetting the krbtgt Account Password. https://docs.microsoft.com/en-us/windows-server/security/kerberos/reset-krbtgt-account-password

※ This article is written by Grok. Fact-Checking is required.