First published on CloudBlogs on Oct 05, 2017 by Azure Advanced Threat Protection Team If you’re in the business of threat detection, you are probably familiar with the term “golden ticket”. For those less familiar, a golden ticket is the name of a Kerberos ticket that is manually created by an attacker after gaining access to your environment’s encryption "master key". A golden ticket allows an attacker to masquerade as any user or gain the permissions of any role at any time they want, giving them full control over your environment. Being able to detect this kind of attack has historically been difficult, because the adversary is leveraging credentials with the same key your Active Directory uses. What can you do about it? This article provides more detail, but in short, you can:
Reduce privileged account exposure by lowering the number of privileged administrators while also implementing "Just Enough Admin" and "Just in Time" access for administrators.
Implement Microsoft Advanced Threat Analytics (ATA), a detection solution that reveals when an adversary has compromised credentials, is using a golden ticket, and/or is moving laterally on your network, escalating privileges, and exerting domain dominance.
How Microsoft ATA can help
Microsoft ATA detects the malicious replication of directory services, which is a method an attacker uses to obtain the “master key” to your environment. Mimikatz's DCSync and Impacket's secretsdump are two tools that an adversary may use to “replicate” the Kerberos encryption “master key” (also known as a KRBTGT account) from a domain controller. Microsoft ATA detects the use of these tools and tactics. ATA learns normal replication and ticket usage patterns to automatically detect and alert if an attacker steals the “master key”. More importantly, Microsoft ATA will alert you when an adversary begins using a golden ticket on your network.
ATA during a Golden Ticket attack
During a golden ticket attack, the ATA console can provide useful insight into a company's defenders including:
Details about the counterfeit ticket (e.g., the account that the adversary is masquerading as)
What resources were used to access the counterfeit ticket
How long the counterfeit ticket was used
In the example below Microsoft ATA detected a golden ticket attack, noting the adversary used the counterfeit ticket for 51 hours:
With ATA, the Digital Forensics Incident Response (DFIR) team can actively detect this attack technique—an ability the DFIR previously did not have—while also gaining insights into the adversary's actions. In this case, the DFIR team investigated the alert and identified this incident to be the result of an advanced attacker leveraging a golden ticket in their environment. Advanced Threat Analytics is part of the Microsoft Enterprise Mobility + Security Suite (E3) or the Microsoft Enterprise CAL Suite (ECAL). Start a trial or deploy it now by downloading an Advanced Threat Analytics 90-day evaluation . Ask your questions and join the discussion with our team on the Microsoft Advanced Threat Analytics Tech Community site ! All the best, Hayden Hainsworth ( @cyberhayden ) Customer & Partner Experience Program Leader, Cybersecurity Engineering Microsoft Cloud + Enterprise Division