By obtaining the password hash for the KRBTGT account, the most powerful service account in Active Directory (AD), an attacker is able to get unlimited and virtually undetectable access to any system connected to AD.
Golden Tickets are very difficult to detect. The parameters the attacker can use to generate a Golden Ticket do not have to be real. The User account name and the Relative ID (RID) of the account can be real or fake, depending on what the attacker is looking to accomplish. When configuring the groups the impersonated account will belong to, Mimikatz includes the Domain Admin group by default. As a result, the ticket will be created with maximum privileges.
Stealthbits’ products provide a multitude of ways to detect and mitigate the Golden Ticket attack.
Detect Golden Ticket Attack
Detection of Golden Ticket is possible by inspecting Kerberos ticket requests where the TGT lifespan values are above the allowed ranges.
APPROACH
Golden Ticket Forged Lifetime Detection
DESCRIPTION
Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Ticket and Maximum Lifetime for User Ticket Renewal values are above the values allowed in the domain policy. This will detect the majority of golden tickets, but if any users create golden tickets that are within the allowed lifespan those will not be detected. However, that largely defeats the purpose of the golden ticket to have non-expiring administrative access to the domain.
Creating a golden ticket requires information such as the KRBTGT account hash, which is only accessible to privileged accounts. The best mitigations to golden tickets involve restricting administrative rights to Active Directory as much as possible.
APPROACH #1
Reduce Domain Administrative Rights
DESCRIPTION
Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members.