In the world of cybersecurity, one phrase you never want to encounter is the ominous “golden ticket.” Far from granting access to endless treats (and maybe a stomachache), a golden ticket attack on your IT environment is a fast pass to major headaches and serious security risks.
Like its literary inspiration, a golden ticket attack grants threat actors an all-access pass to your organization’s domain (such as devices and domain controllers) through data stored in Microsoft Active Directory (AD). It is one of the most serious cyberattacks exploiting security vulnerabilities in Kerberos, allowing bad actors to bypass normal authentication processes.
Deliver endpoint security through the familiar NinjaOne platform.
How does a golden ticket attack work?
In the book Charlie and the Chocolate Factory, a golden ticket presents a rare opportunity to enter a previously unknown land full of goodies, chocolates, and strange, funny creatures. However, as a cyberattack, a golden ticket eliminates the need for multiple credential requests into AD, instead assigning a ticket to a malicious actor for unrestricted access. Once inside, a malicious actor exploits any security vulnerability and can start wreaking whatever havoc they intend to do.
Though various methods exist to carry out a golden ticket attack, it typically follows four main steps.
- Gain access: Phishing emails are often used first to gain access to a system. Cybercriminals will then use the phishing attack to gather information about AD and Kerberos in the exploited system.
- Steal NTML hash: Once an attacker has access to your account, they will attempt to steal four pieces of information: the domain’s FQDN (fully qualified domain name), the domain’s SID (security identifier), the username of the account they wish to exploit, and the NTML hash of the Active Directory Key Distribution Service Account (KRBTGT) using various methods such as credential stuffing, credential dumping, Pass-the-Hash, and even brute force.
- Launch attack: The threat actor receives a Kerberos Ticket Granting Ticket (TGT), a small, encrypted identification file with a limited validity period. The attacker uses the TGT to gain unrestricted access to resources in your Active Directory.
- Retain access: Malicious actors will then take steps to ensure that they retain access to their TGT. This may include generating several TGTs one after another to escape detection.
Prevent golden ticket attacks
Golden ticket attacks are challenging to detect, but fortunately, they’re easy to prevent. Here are some tips we recommend:
Regularly change your KRBTGT password
The simplest defense against golden ticket attacks is to prevent them from accessing your Active Directory in the first place. While changing your KRBTGT password does not prevent hackers from creating golden tickets, it may invalidate those already in your systems.
It’s also wise to change the password for special circumstances, such as changes in management or relevant stakeholders. Even when you delete their privileged account, they may still have TGTs and become an insider threat.
Minimize the number of accounts that can access KRBTGT password hash
This is where you must employ the least privilege access strategy. Ensure that sensitive data (such as the KRBTGT password hashes) are only visible and accessible to appropriate users.
Monitor for suspicious activity
It’s essential that you train your IT team to look for unusual activity that may suggest an ongoing golden ticket attack. Such clues can include:
- TGTs with long lifetimes: Typical TGTs have a lifespan of roughly 8 to 10 hours. However, if you notice a Kerberos ticket that exceeds your domain policy for maximum ticket lifespan, it may suggest a Kerberos vulnerability.
- Unusual domain replication activity: This could signal that someone may be attempting to steal password hashes.
- Changes in PowerShell scrips: Look for any suspicious changes in scripts (particularly in PowerShell commands) running on your domain controllers.
Understand everything you need to know about PowerShell with a 30-minute crash course by NinjaOne.
- Unauthorized privileges: Pay close attention if the debug privilege is suddenly enabled.
Work with a certified ethical hacker
A certified ethical hacker works with your organization to uncover potential vulnerabilities in your system. Since golden ticket attacks are notoriously difficult to address once they’ve caused damage, prioritizing prevention is essential. Using the same techniques and tools as malicious hackers, an ethical hacker can help you build a stronger, more resilient cybersecurity framework.
Use endpoint protection
It’s a good idea to use an all-in-one endpoint management software solution with built-in endpoint security. This can significantly minimize the risk of a threat actor gaining access to your IT environment. On the off chance that a vulnerability is exploited, an endpoint management tool, such as NinjaOne, can deploy necessary remediation steps to reduce organizational impact.
NinjaOne strengthens device security to reduce risk
NinjaOne reduces security vulnerabilities with its all-in-one endpoint management software with built-in endpoint security functions. Trusted by 20,000+ customers worldwide, NinjaOne not only reduces complexity in your IT environment but improves visibility and control to identify and remediate patch-based vulnerabilities at scale quickly.
If you’re ready, request a free quote, sign up for a 14-day free trial, or watch a demo.
