A Golden Ticket attack is a malicious cyber attack that targets an organization’s Microsoft Active Directory (AD) to gain extensive access to its domain. This attack takes advantage of vulnerabilities in the Kerberos authentication protocol used by AD, enabling the attacker to bypass normal authentication. With the growing trend of remote work and cloud adoption, the attack surface has grown beyond traditional boundaries, increasing the chances of attackers infiltrating networks and using Golden Ticket attacks to gain unauthorized access. The KB5008380 patch was released in November 2021 to address this vulnerability and enhance authentication. The goal was to improve the Kerberos privileged attribute certificate (PAC) by providing more details about the requesting account’s ticket-granting ticket (TGT). While this update aims to enhance the authentication process, it is not without its limitations, and implementing these changes will impact both ticket impersonation and detection methods.
What is a Privileged Attribute Certificate?
The Privileged Attribute Certificate (PAC) is an extension to Kerberos service tickets that holds information about the user and their privileges. It is added by a domain controller in an Active Directory (AD) domain when the user authenticates. This allows other systems to access the PAC from the user’s ticket and determine their privileges, eliminating the need to consult the domain controller.
The PAC data is used for user authorization and contains permissions to access different services. It is copied from one ticket to another during the authentication and authorization process. The update introduces a new structure in the PAC that includes the user security identifier (SID). The SID is validated by the KDC during the process. The update is divided into three phases to allow organizations time to understand and implement the changes. The update also includes new system events to detect ticket-based attacks. Offensive tools have been updated to support both the new and old PAC structures. The new PAC_REQUESTOR structure is validated in the KDC and can indicate a successful attack if it is missing or does not match the username in the TGT. The update provides indicators of compromise to help identify attempted attacks. While the update cannot fully prevent a Golden Ticket attack, it adds meaningful indicators to aid detection.
Attacks that Exploit the Privileged Attribute Certificate
Due to the amount of data stored within them, Privileged Attribute Certificates are susceptible to various Windows AD attack methods, making them prime targets. Below are some of the most notable techniques used to exploit the Privileged Attribute Certificate.
Privilege Escalation Attacks: In 2014, a vulnerability in the PAC validation algorithm of Windows Server version 2012 R2 and earlier was made public, making the PAC susceptible to AD privilege elevation attacks. This vulnerability allowed attackers to create a forged PAC for any compromised user account, granting them Domain Admin privileges. The cybersecurity team at Windows promptly addressed this vulnerability by releasing the MS14-068 update. More details about the vulnerability and the patch can be found in Microsoft’s post. To test this vulnerability, tools like the Python Kerberos Exploitation Kit (PyKEK) or Kekeo can be used.
Golden and Silver Tickets: Attackers can use Golden Tickets and Silver Tickets to exploit Active Directory by forging ticket-granting tickets (TGTs) and ticket-granting service (TGS) tickets. As mentioned above, Golden Tickets allow attackers to create a valid TGT for any user in the domain and manipulate their privileges. This can be done using stolen KDC keys and enables adversaries to perform privileged activities while avoiding detection. Silver Tickets, on the other hand, allow attackers to forge Active Directory PACs for TGS tickets, granting them specific rights to a service on a specific host. By stealing the password hash for a service, attackers can create TGS tickets for that service. Even service accounts with limited rights can be compromised using Silver Tickets, as attackers can give these accounts additional privileges by forging PACs. Golden and Silver Tickets can provide users with membership in privileged groups, effectively granting them high-level access.
Privileged Attribute Certificate Validation
Implementing security around forged PACs involves using PAC validation, although it is not a complete solution. PAC validation involves checking the PAC of a user against Active Directory to ensure its authenticity. However, this validation only occurs under certain conditions, such as when the user does not have certain privileges or is not running in specific contexts. Therefore, PAC validation does not fully prevent attackers from using Silver and Golden Tickets. However, even if PAC validation is enabled, these types of tickets could still be used against a target system.
Examining a User’s PAC
To easily examine a user’s Privileged Attribute Certificate, you can use a helpful script called getPAC.py, which you can find on GitHub. The process can be further simplified by using CommandoVM on Windows, which includes an executable version of the script and eliminates the need for Python dependencies. Using the getPAC.py script, you can retrieve a user’s PAC settings and related information without requiring any special permissions. This includes more than just group membership. For detailed explanations about these results, the PAC data structure documentation from Microsoft provides further information.
How Lepide Can Help Secure Active Directory
The Lepide Data Security Platform offers a scalable solution for auditing file, folder, configuration and permission changes within Active Directory. Our platform delivers essential insights into the “who, what, where, and when” of Active Directory auditing, enabling you to enhance security, conduct investigations, minimize the dangers of privilege misuse, and meet compliance obligations. Our solution offers a more robust level of protection than PAC client validation and scripts like getPAC.py. The Lepide Data Security Platform can also help with the following:
Threat detection: Detect and respond to sophisticated threats in real-time, preventing breaches and minimizing damage to your system.
Advanced password policies: Implement strong password policies and protect credentials from sophisticated threats.
Just-in-time access: Replace standing privileged accounts with temporary access privileges, limiting the risk of unauthorized access.
Compliance audits: Generate necessary security reports to meet compliance requirements and facilitate audits.
Automated threat response: Automate responses to anticipated threats, allowing for quick and efficient mitigation.
Active Directory recovery: Roll back any unintended deletions or changes made to your Active Directory to ensure continuity and minimize disruptions.
By using Lepide’s Active Directory security solution, you can significantly enhance the protection of your system, mitigate risks, and maintain the integrity and security of your data. If you’d like to see how the Lepide Data Security Platform can help you detect and respond to Golden and Silver Ticket Attacks, schedule a demo with one of our engineers.