T1558.001 Golden Ticket Mappings

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-2 Account Management Protects T1558.001 Golden Ticket
AC-3 Access Enforcement Protects T1558.001 Golden Ticket
AC-5 Separation of Duties Protects T1558.001 Golden Ticket
AC-6 Least Privilege Protects T1558.001 Golden Ticket
CM-2 Baseline Configuration Protects T1558.001 Golden Ticket
CM-5 Access Restrictions for Change Protects T1558.001 Golden Ticket
CM-6 Configuration Settings Protects T1558.001 Golden Ticket
IA-2 Identification and Authentication (organizational Users) Protects T1558.001 Golden Ticket
IA-5 Authenticator Management Protects T1558.001 Golden Ticket
CVE-2014-6324 n/a uncategorized T1558.001 Golden Ticket
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.001 Steal or Forge Kerberos Tickets: Golden Ticket