1. Home
  2. ATT&CK Techniques
  3. T1558.001 Golden Ticket

T1558.001 Golden Ticket

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.

View in MITRE ATT&CK®

CRI Profile Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
PR.IR-01.05 Remote access protection Mitigates T1558.001 Golden Ticket
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
    PR.AA-05.03 Service accounts Mitigates T1558.001 Golden Ticket
    Comments
    This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
    References
      PR.AA-05.02 Privileged system access Mitigates T1558.001 Golden Ticket
      Comments
      This diagnostic statement protects against Golden Ticket through the use of privileged account management and the use of multi-factor authentication.
      References
        DE.CM-06.02 Third-party access monitoring Mitigates T1558.001 Golden Ticket
        Comments
        This diagnostic statement protects against Golden Ticket through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
        References
          PR.AA-01.01 Identity and credential management Mitigates T1558.001 Golden Ticket
          Comments
          This diagnostic statement protects against Golden Ticket through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
          References

            NIST 800-53 Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            CM-06 Configuration Settings mitigates T1558.001 Golden Ticket
            CM-05 Access Restrictions for Change mitigates T1558.001 Golden Ticket
            IA-05 Authenticator Management mitigates T1558.001 Golden Ticket
            CM-02 Baseline Configuration mitigates T1558.001 Golden Ticket
            IA-02 Identification and Authentication (Organizational Users) mitigates T1558.001 Golden Ticket
            AC-02 Account Management mitigates T1558.001 Golden Ticket
            AC-03 Access Enforcement mitigates T1558.001 Golden Ticket
            AC-05 Separation of Duties mitigates T1558.001 Golden Ticket
            AC-06 Least Privilege mitigates T1558.001 Golden Ticket

            VERIS Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558.001 Golden Ticket

            Azure Mappings

            Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
            alerts_for_windows_machines Alerts for Windows Machines technique_scores T1558.001 Golden Ticket
            Comments
            This control may detect commandline parameters consistent with a Kerberos Golden Ticket attack. The following alerts may be generated: "Suspected Kerberos Golden Ticket attack parameters observed".
            References
            1. https://learn.microsoft.com/en-us/azure/defender-for-cloud/plan-defender-for-servers
            2. https://learn.microsoft.com/en-us/azure/defender-for-cloud/alerts-windows-machines