Detecting Golden Tickets/Silver Tickets
Golden Ticket
Golden Ticket attacks involve forging a Ticket Granting Ticket (TGT) to impersonate a domain administrator and gain full access to the domain. This attack is persistent and difficult to detect as it uses a valid, forged TGT that can be created offline by an attacker.
Attack Steps
Extract KRBTGT Hash: The attacker obtains the NTLM hash of the KRBTGT account, typically using DCSync or by dumping NTDS.dit and LSASS.
Forge TGT: The attacker creates a TGT using the KRBTGT hash, granting themselves domain administrator privileges.
Inject Forged TGT: The attacker injects this TGT into a logon session, enabling unauthorized access to domain resources.
Detection Opportunities
Detection relies on identifying indicators such as:
DCSync activity: Monitoring for suspicious DCSync requests.
NTDS.dit or LSASS access: Sysmon Event ID 10 can help track LSASS access for hash extraction.
Pass-the-Ticket alerts: Golden Ticket use resembles Pass-the-Ticket behaviors.
Example Splunk Query: Detecting Golden Tickets
Description: This search identifies Golden Ticket use by looking for Kerberos events without an associated Event ID 4768. These unlinked tickets may indicate forgery.
Timeframe: earliest=1690451977 latest=1690452262
index=main earliest=1690451977 latest=1690452262 source="WinEventLog:Security" user!=*$ EventCode IN (4768,4769,4770)
| rex field=user "(?<username>[^@]+)"
| rex field=src_ip "(\:\:ffff\:)?(?<src_ip_4>[0-9\.]+)"
| transaction username, src_ip_4 maxspan=10h keepevicted=true startswith=(EventCode=4768)
| where closed_txn=0
| search NOT user="*$@*"
| table _time, ComputerName, username, src_ip_4, service_name, categorySilver Ticket
Silver Ticket attacks allow adversaries to create forged service-specific TGS tickets for targeted resources, providing limited access compared to Golden Tickets.
Attack Steps
Extract Service Account Hash: The attacker extracts the NTLM hash of a target service account (e.g., SQL Server).
Forge TGS Ticket: Using the hash, the attacker creates a forged TGS ticket.
Inject and Access: The attacker injects the forged ticket into a session to gain access to specific resources.
Detection Opportunities
Detection focuses on:
New User Creation: Event ID 4720 can identify newly created accounts.
Privilege Assignments: Event ID 4672 helps monitor special logon privileges given to accounts, which may indicate suspicious access.
Example Splunk Queries for Silver Ticket Detection
Query 1: Comparing Created Users with Logged-in Users
Description: This search cross-references newly created users against recent logins to detect suspicious account activity.
User List Creation:
Logged-in Users Comparison:
Timeframe: latest=1690545656
Query 2: Detecting Special Privileges on New Logon Events
Description: This search identifies accounts with special privileges assigned recently, indicating potentially unauthorized access using Silver Tickets.
Timeframe: latest=1690545656
Summary
Golden Ticket and Silver Ticket attacks exploit the Kerberos authentication process to allow unauthorized access within a Windows Active Directory environment. Detection efforts focus on identifying anomalies in user logons, newly created accounts, and assigned privileges. By combining behavioral and event-based detections in Splunk, security teams can improve their ability to identify and respond to these advanced attacks.
Last updated