Kerberos Attack: How to Stop Golden Tickets?

Kerberos Attack: How to Stop Golden Tickets?

The Golden Ticket Attack, discovered by security researcher Benjamin Delpy, gives an attacker total and complete access to your entire domain. It’s a Golden Ticket (just like in Willy Wonka) to ALL of your computers, files, folders, and most importantly Domain Controllers (DC).

There’s some instances where an attacker may have had a Golden Ticket for several years: there’s no telling what the attackers were able to steal. They got in through a single user’s PC, installed mimikatz, and the rest is history.

How Does a Golden Ticket Attack Work?

In Active Directory, accounts sign in with a username and password, maybe some other form of authentication, and they then get back a Kerberos ticket that contains their authentication token.

The Golden Ticket is the Kerberos authentication token for the KRBTGT account, a special hidden account with the job of encrypting all the authentication tokens for the DC. That Golden Ticket can then use a pass-the-hash technique to log into any account, allowing attackers to move around unnoticed inside the network. How much sensitive data do you have on the network that is “locked down?” Is it locked down to a user with Domain Admin credentials?

In order to create and use a Golden Ticket, an attacker needs to find a way into the network:

  1. Infect the target computer with malware that allows attackers to leverage user accounts to access other network resources (often via a phishing email or some other vulnerability)
  2. Get access to an account with elevated privileges with access to the Domain Controllers (DC)
  3. Log into the DC and dump the password hash for the KRBTGT account to create the Golden Ticket. The attacker will use mimikatz or a similar hacking application to dump the password hash
  4. Load that Kerberos token into any session for any user and access anything on the network – again using the mimikatz application

The Golden Ticket attack is really clever – but not trivial to execute.

The most insidious part about this attack is you can change the password for the KRBTGT account, but the authentication token is still valid. You can rebuild the DC, but that authentication token is still valid.

It’s incredibly difficult to clean up after a Golden Ticket is created for your domain.

How to Defend Yourself from a Golden Ticket Attack

The good news: protecting yourself from a Golden Ticket attack is not all that different from protecting yourself any other malware or infiltration attack. Ultimately, an attacker needs privileged access to create the Golden Ticket in the first place – so the more difficult it is for them to steal credentials, the better you’re protected.

  • Train users to recognize bad links (and not to click on them)
  • Enforce a least privilege model
    • Limit user access to only what they need
    • Limit Admin and Domain Administrator access
    • Use Admin accounts sparingly and only for approved changes
  • Install endpoint protection to block attackers from loading modules like mimikatz
  • Create a choke point for access to your DCs, adding another layer of protection
    • Create a Terminal Server that can only talk to the DCs
    • Configure the DCs to only accept administrative connections from that Terminal Server
  • Monitor file activity and user behavior
  • Alert on known behavior that indicates Golden Ticket attacks

How Varonis Can Help You Discover and Stop Golden Ticket Attacks

Varonis leverages security analytics to discover and alert on security vulnerabilities and potential attacks. Our threat models are engineered from the ground up to detect activity and potential attacks throughout the kill chain.

The first thing the attacker needs to do is to infiltrate a user account with some malware that gives them access to the PC through a Command and Control network. Varonis analyzes perimeter telemetry and correlates that data with the data we collect from Directory Services. In this case, we’ll recognize the attempt to log into a user’s credentials from a previously unknown IP address in a foreign location. A security team has plenty of time to remove the RAT from the user’s computer and change the user’s password long before the attacker has time to get a foothold in your organization.

Threat Model: Abnormal behavior: activity from new geolocation to the organization
How it works: Any activity that originates outside of known geolocations will trigger this threat model.
What it means: Someone attempted to reach into the network through the VPN from a new geolocation.
Where it works: VPN

If they’re already in the network, one option to take over a privileged account is with a brute force attack, which Varonis can detect with this threat model:

Threat Model: Abnormal admin behavior: accumulative increase in lockouts for individual admin accounts
How it works: DatAlert detects statistically significant increases in lock-out events over time – and can identify an unusual amount of lock-out events on an admin account compared to their typical behavior.
What it means: It means that the account is trying to login and failing repeatedly. This could be a misconfigured password for a valid user, or it could be an attempt to brute force or guess the password by an outsider. This account is probably the target of a gradual brute-force attack aimed at stealing admin credentials or denying access.
Where it works: Directory Services

If an attacker tries to use mimikatz to start working on their Golden Ticket, Varonis sends this alert during the attempt – before it’s too late:

Threat Model: Exploitation software created or modified
How it works: Varonis detects a file create or file modify operation for a file that matches a list of known hacker tools (i.e., mimikatz).
What it means: An attacker has infiltrated the network and they are trying to establish further capability to move around undetected and steal data.
Where it works: Windows, Unix, Unix SMB, SharePoint, NetApp, EMC, Hitachi NAS, HP NAS, SharePoint Online, One Drive, Dell FluidFS, Nasuni

If an attacker is already in the system and has successfully created a Golden Ticket, you’ll be able to spot them when they use that Golden Ticket to log into an account with their full domain access privileges:

Threat Model: Potential pass-the-ticket attack
How it works: Varonis detected that a user account accessed a resource without authentication, meaning they bypassed the Kerberos protocol, possibly a successful Golden Ticket attack.
What it means: An attacker succeeded in a pass-the-hash attack, they might have a Golden Ticket, and they are logging in with those credentials right now.
Where it works: Directory Services

With this kind of immediate notice you will be able to take steps to reset all the passwords, the KRBTGT you need to change twice, invalidate any current Kerberos authentication tokens, and create new tokens for your users. You can close the security breach and disable the attacker’s access into your network.

Get a free risk assessment to see where you may be vulnerable to security breaches, including a Golden Ticket attack – and sign up for a 1:1 demo to see how to detect abnormal behavior that indicates an attack in-progress, and defend against a golden ticket attack.

Get the latest security news in your inbox.