Overview#Golden Ticket is a Kerberos Forged Ticket Attack and often is a Advanced Persistent Threat (APT)
Golden Ticket has a High Attack Effort
Golden Ticket Outcome#After an Attacker hacks a system and then hacks to obtain Local Administrative Accounts privileges, the tool can dump Microsoft Windows credentials, like LM hash and Kerberos tickets, from memory and perform pass-the-hash and pass-the-ticket attacks.
If the attacker is to gain full Local Administrative Accounts privileges on a Windows Domain Controller this feature allows creating a special Kerberos TGT ticket (Golden Ticket) which has the following properties: 3
- provides a method to arbitrarily generate Kerberos TGT tickets for any user of the target domain. Therefore, it can be used to impersonate anybody, Domain Administrators accounts are the most interesting but potentially any legitimate user can be impersonated;
- can be created off-line. Therefore, one does not need to be connected to the domain once you have collected all the data required to create the ticket (see next section);
- is valid for an arbitrary lifetime, Mimikatz default is 10 years or until a Domain Administrator resets the Kerberos key used to generate the TGT. This is the current setting implemented by Mimikatz but it should be possible to create tickets of any lifetime at anytime (arbitrary start, renewal and end time is possible);
- Kerberos lifetime policy (default renewal lifetime 10h and total lifetime is 7 days) does not have any impact on the Golden Ticket. Indeed, KDC validates TGT tickets based on the lifetime settings embedded in the protected core of the ticket and not on the policy set on the Domain Controller. Nevertheless, even if such control is in place, it cannot be used to block golden tickets. The attacker can generate any ticket with the appropriate lifetime in line with the local policy and so bypass the control;
- can be replayed with pass-the-ticket attack technique. This will allow the attacker accessing other resources available to the impersonated user;
- as any pass-the-ticket, there is no need of privilege access to replay and use the golden ticket;
- Password Reset of the impersonated account does not make the Golden Ticket invalid;
- resetting the Kerberos secret key does make all Golden Ticket invalid.
- Windows event logs does not distinguish the use of legitimate TGT ticket versus a Golden Ticket, so there is no universal rule to detect the use of a Golden Ticket;
Mimikatz includes a new feature called Golden Ticket.
- The target domain name (e.g. vln2012.local).
- The SID of the target domain (this should be present in the output from the lsadump::lsa command — it's S-1-5-21-3871786346-2057636518-1625323419 in the example output above, or you can just strip the rightmost number off of a user SID from the domain).
- The name of the user account to impersonate (e.g. Administrator).
- The RID of the user account to impersonate. The RID is the rightmost number in a full SID. For example, the RID for the built-in Administrator account is 500.
- The RIDs of the groups that that account should be a member of. The RID is the rightmost number in a full SID. For example, the RIDs for Domain Users and Domain Admins would be 512 and 513.
- One or more of the KRBTGT encryption keys
As of this writing, there are three encryption keys may be used for the Golden Ticket functionality: