Golden Ticket! You lose! Good day, sir! (Updated)

In unique situations it is possible for a malicious person-who has already compromised a computer using social methods-to craft a Kerberos ticket granting ticket. This ticket granting ticket can then be used to request service tickets in the domain environment and those service tickets could then be passed to services for authorization.

Though very rare, these attacks are possible and are difficult to detect.

To try and help give a basic insight into whether an odd looking ticket granting ticket is on a computer I’ve written a PowerShell script. You can download the PowerShell script from the link below

Kerberos Golden Ticket Check

https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285 

This PowerShell script is designed to query through the Kerberos ticket caches on a computer and look for Ticket Granting Tickets which have a duration (lifetime) that is different than the 10 hour default or the script-running user's specified duration (since the value can be changed per domain).

This script is not a security method in itself. Neither is it an antimalware tool. It is simply a script that may be helpful in quickly examining a specific computer's Kerberos ticket caches for anomalous tickets.

Essentially, the script compares the duration (aka lifetime) of the TGT against the expected TGT expiry the domain KDCs are set to issue. That duration is only changeable at domain controllers via policy and it will always be a per domain setting. So a TGT will always have the domain duration.

The script will take one parameter which is the Ticket Granting Ticket lifetime. If not specified the default will be 10 (same as for the domain default in Active Directory). This setting is discussed on TechNet here. Here’s the detailed decryption of the setting

Maximum lifetime for user ticket

Description

This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used. When a user's TGT expires, a new one must be requested or the existing one must be "renewed."

Default: 10 hours.

  • The script will take one parameter which is the Ticket Granting Ticket lifetime. If not specified the default will be 10 (same as for the domain default in Active Directory).
  • The script will alert if any anomolous TGT's or service tickets are found and then display pertinent details about the TGT or service tickets in the PS prompt.
  • The script will give a message if none are found at all-basically an "all clear".
  • The script will place the returned information to a text file at %systemroot%\temp\KerberosGoldenTicketChecks.txt for review.
  • There is a known data return/formatting problem where some TGT returned for impersonated TGTs does not show the details correctly. This will be updated in a future update.
  • The script will alert if any anomalous TGT's are found and then display pertinent details about the TGT in the PS prompt.
  • The script will give a message if none are found at all-basically an "all clear".

Here's a sample result where I specified the expiry time of the tickets as being "2" instead of 10 which was the actual issuance.

Monday, March 23, 2015 2:39:44 PM
Review of local Kerberos ticket caches for ticket granting tickets (TGTs) or service tickets which have durations which differ from the domain specified ticket duration and hence may be maliciously created.

We have one or more potential Golden Ticket service tickets here folks.
Listing session information and ticket details...
SessionID : 0x3e7
Identity : CONTOSO\COMPUTER1$
AuthMethod : Negotiate
Logon Type : (0)

SessionID : 0x3e7
Identity : CONTOSO\COMPUTER1$
AuthMethod : Negotiate
Logon Type : (0)
Note: LogonID may not match Session info if the cache is for Kerberos delegation or services for user.
Session (LogonID) : 0xb9417
Client : COMPUTER1$@ CONTOSO.COM
Server (Service) : krbtgt/CONTOSO.COM @ CONTOSO.COM
Encryption Type : RSADSI RC4-HMAC(NT)
Ticket Flags : 0x40a50000 -> forwardable renewable pre_authent ok_as_delegate name_canonicalize
StartTime : 3/23/2015 12:53:59 (local)
EndTime : 3/23/2015 16:00:18 (local)
RenewUntil : 3/30/2015 6:00:18 (local)
KDC Called : DC5.CONTOSO.COM

Though not a complete or comprehensive solution by any means, I hope this script helps folks out when looking for suspicious TGTs.