Golden ticket attack
(also Kerberos golden ticket attack, Kerberos attack)
Golden ticket attack definition
A cyberattack that grants the attacker access to an organization’s files, users, and the Active Directory. As the name implies, the hacker then has complete access to all the controls and can do anything they want on the directory. The attack uses a vulnerability in Windows’ Kerberos authentication protocol.
How a golden ticket attack works
- Hackers infect a device with malware to gain entry to an account with access to the domain controllers.
- They log in to the domain controllers and use a hacking application to dump the password hash and create the golden ticket — an authentication token that grants them access to anything on the network.
- They can use that golden ticket token to impersonate any user and do anything they want with the resources on the organization’s domain.
Stopping a golden ticket attack
- Regularly change the password of the organization’s KRBTGT account.
- Always be on the lookout for suspicious activity.
- Don’t give unnecessary high-level access to all employees.