Protecting against Kerberos Golden Ticket, Silver Ticket, and Pass-The-Ticket (PTT) Attacks
The Pass-The-Ticket attack is a powerful technique cyber adversaries employ for post-exploitation lateral movements and privilege escalation. Attackers can easily forge tickets because Microsoft Active Directory is an incredible treasure trove for them, and Kerberos’s stateless design makes it easy to abuse. All an attacker needs is a “foothold” within the enterprise, usually accomplished through social engineering. The availability of open-source tools makes Pass-The-Ticket attacks easy to execute and virtually guarantees to yield results without any detections. This blog will look at the top two Pass-The-Ticket attacks nation-state actors have used in several targeted and supply chain attacks.
A Golden Ticket attack attempts to compromise the entire domain by controlling a critical service account called KRBTGT. This account is the Active Directory Key Distribution Service Account. Having gained control over the KRBTGT account, attackers can forge tickets to move laterally to any asset within the enterprise. They will need to grab the KRBTGT hash by using the local administrative account on the Domain Controller or carrying out a DCSync attack using compromised users with specific permissions to Replicate Directory Changes.
A Silver Ticket attack starts by compromising a specific service or application running within an enterprise. Attackers grab the password hash of the Kerberos service account from the local computer SAM database, then crack it offline to obtain the unencrypted password for the service. They can then run code on the compromised machine in the SYSTEM context and forge a Kerberos ticket that can authenticate to targeted service without authenticating with the Domain Controller (in most environments using Privileged Attribute Certificate, PAC is often disabled).
It is much easier for attackers to target Silver Tickets because they don’t require any privileged accounts. It is also harder to detect a Silver Ticket attack because compromising a silver ticket does not need interaction with the Domain Controller. Once attackers obtain a Silver Ticket, they can use it as a steppingstone to elevating privileges to Domain Administrator. Because attackers can compromise the domain completely with stealthier techniques using Silver Tickets, organizations must find ways to protect them within their infrastructure.
It is apparent why these advanced techniques commonly occur in large-scale attacks. For example, in Ryuk and Darkside ransomware incidents, attackers used Golden and Silver Ticket attacks to move laterally, deploying ransomware on numerous systems. In another attack, the Netwalker ransomware compromised a domain controller and deployed ransomware on all domain-joined systems within 60 minutes.
This presentation from Blackhat described these attacks. In his blog on Detecting Forged Kerberos Ticket, Sean Metcalf documented several ways to detect and mitigate these attacks. However, most of these methods are manual and don’t scale in the real world.
Fortunately, there are a few options available to prevent both of them:
- Stop attackers at the reconnaissance stage when they hunt for target accounts
(a) Privileged account for Golden Ticket attacks
(b) Service account with Service Principal Names for Silver Ticket attacks - Prevent use of a forged ticket to authenticate or escalate privileges
A previous blog focused on preventing these attacks using concealment at the reconnaissance stage. This blog demonstrates how one could use the Attivo EDN solution to prevent attackers from using forged tickets by design.
An example showing Golden Ticket attack:
Step 1: The attacker obtains the hash for the KRBTGT account using DCSync attack.
Step 2: The attacker uses Mimikatz to generate the Golden Ticket
Step 3: The attacker then attempts to load the ticket into the current session. The following screenshots are presented for comparison on what happens next, first on the endpoint without Attivo EDN solution and then post installation of the EDN solution.
The EDN solution denies the attacker from using the Golden Ticket, even though Mimikatz generated and loaded it successfully. The ticket never made it into the user cache (as shown above). The following screenshots show the prevention alerts (accompanied by the insights on the process tree and user context).
Challenges around Pass-The-Ticket Attack prevention:
A Privileged Account Management (PAM) solution does not protect against Pass-The-Ticket attacks. PAM solutions are great tools to reduce stolen password use by controlling and auditing privileged account logins but cannot stop an attacker from generating and using a forged ticket. Along similar lines, Multi-Factor Authentication (MFA) solutions can’t protect against PTT attacks as they merely enforce additional authentication mechanisms using a different factor. Some security solutions rely on data analysis to identify anomalous traffic or behavior patterns to detect these attacks. However, machine learning at best provides a way to identify a suspicious pattern, and detection comes at the cost of False Positives.
Conclusion
The Golden Ticket and Silver Ticket attacks are post-exploitation attack techniques. Since they leverage legitimate means of interaction with Active Directory, they are harder to detect and prevent. The threat landscape continues to evolve with more and more software, techniques, and functions available in the system to perform malicious actions. For an attacker, these guarantee higher success rates and a lower detection rate. Organizations must find new tools, such as the Attivo EDN solution, to counter these new techniques, and add in-network threat detection and identity detection and response to their security strategy.
