First published on CloudBlogs on Oct 05, 2017 by Azure Advanced Threat Protection Team
If you’re in the business of threat detection, you are probably familiar with the term “golden ticket”. For those less familiar, a golden ticket is the name of a Kerberos ticket that is manually created by an attacker after gaining access to your environment’s encryption "master key". A golden ticket allows an attacker to masquerade as any user or gain the permissions of any role at any time they want, giving them full control over your environment. Being able to detect this kind of attack has historically been difficult, because the adversary is leveraging credentials with the same key your Active Directory uses. What can you do about it? This article provides more detail, but in short, you can:
Microsoft ATA detects the malicious replication of directory services, which is a method an attacker uses to obtain the “master key” to your environment. Mimikatz's DCSync and Impacket's secretsdump are two tools that an adversary may use to “replicate” the Kerberos encryption “master key” (also known as a KRBTGT account) from a domain controller. Microsoft ATA detects the use of these tools and tactics. ATA learns normal replication and ticket usage patterns to automatically detect and alert if an attacker steals the “master key”. More importantly, Microsoft ATA will alert you when an adversary begins using a golden ticket on your network.
During a golden ticket attack, the ATA console can provide useful insight into a company's defenders including:
In the example below Microsoft ATA detected a golden ticket attack, noting the adversary used the counterfeit ticket for 51 hours:
With ATA, the Digital Forensics Incident Response (DFIR) team can actively detect this attack technique—an ability the DFIR previously did not have—while also gaining insights into the adversary's actions. In this case, the DFIR team investigated the alert and identified this incident to be the result of an advanced attacker leveraging a golden ticket in their environment. Advanced Threat Analytics is part of the Microsoft Enterprise Mobility + Security Suite (E3) or the Microsoft Enterprise CAL Suite (ECAL). Start a trial or deploy it now by downloading an Advanced Threat Analytics 90-day evaluation . Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site ! All the best, Hayden Hainsworth ( @cyberhayden ) Customer & Partner Experience Program Leader, Cybersecurity Engineering Microsoft Cloud + Enterprise Division
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.