T1558.001 Golden Ticket Mappings

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1558.001 Golden Ticket
AC-3 Access Enforcement Protects T1558.001 Golden Ticket
AC-5 Separation of Duties Protects T1558.001 Golden Ticket
AC-6 Least Privilege Protects T1558.001 Golden Ticket
CM-2 Baseline Configuration Protects T1558.001 Golden Ticket
CM-5 Access Restrictions for Change Protects T1558.001 Golden Ticket
CM-6 Configuration Settings Protects T1558.001 Golden Ticket
IA-2 Identification and Authentication (organizational Users) Protects T1558.001 Golden Ticket
IA-5 Authenticator Management Protects T1558.001 Golden Ticket
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1558.001 Golden Ticket
azure_sentinel Azure Sentinel technique_scores T1558.001 Golden Ticket
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1558.001 Golden Ticket
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1558.001 Golden Ticket