Formula
Group
Red Team
Keywords
WindowsActive DirectoryAttack
Last edited time
May 27, 2024 7:34 AM
Slug
Status
In progress
Title
Code inside page
Github
👉 Overview
👀 What ?
Windows Golden Ticket is a type of attack that involves the creation of a Kerberos ticket granting ticket (TGT). This TGT is usually generated by the Key Distribution Center (KDC) in a Windows domain network, but in this type of attack, an adversary can create their own TGT, effectively granting them access to any resource on the network.
🧐 Why ?
Understanding the principles of the Windows Golden Ticket attack is crucial for both network administrators and cybersecurity professionals. For administrators, it can help identify potential weaknesses in their network's security. For cybersecurity professionals, it can aid in threat hunting and incident response. The attack exploits a critical aspect of the Windows Active Directory service, making it a severe threat to any organization using this service.
⛏️ How ?
To perform a Windows Golden Ticket attack, an adversary first needs to gain access to the krbtgt account hash. This can be done through various means, such as exploiting weak passwords or using malware. Once the hash is obtained, the attacker can use tools like Mimikatz to create a golden ticket. This ticket can then be loaded into the current session, granting the attacker access to any resource on the network.
⏳ When ?
The Windows Golden Ticket attack has been a known exploit since around 2014. It continues to be a relevant threat due to the widespread use of Windows Active Directory services.
⚙️ Technical Explanations
The Windows Golden Ticket attack exploits the Kerberos authentication protocol used by the Windows Active Directory service. The krbtgt account, which is created when a new domain is set up, is responsible for encrypting and signing all Ticket Granting Tickets (TGTs) in the domain. By gaining access to the hash of the krbtgt account, an attacker can create their own TGTs, bypassing any access controls in place. As the TGT is valid throughout the domain, this allows the attacker to access any resource. The key challenges in mitigating this threat are detecting the compromise of the krbtgt account and managing the remediation process, which typically involves resetting the krbtgt account password twice.