Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRE
T//
NOFORN
Pique Analysis Report
20150821-261-CERT-EU Kerberos Golden Ticket
Ra
y
theon Blackbird Technolo
g
i
es,
Inc. 1 21 Au
g
ust 2015
Use or disclosure of data contained on this sheet is su
bje
ct to the restrictions on the title
page
of this document.
SECRE
T//
NOFORN
1.0 (U) Analysis Summary
(S//NF) This report covers two reports on an attack known as “passing the golden ticket”, a
Kerberos TGT ticket. One report was provided by CERT-EU titled, “Protection from Kerberos
Golden Ticket”, and the other report a slide deck from the 2015 RSA Conference titled,
“Hacking Exposed: Beyond Malware.” The RSA Conference slide deck touches on passing the
golden ticket. The CERT-EU report focuses, as the title suggests, on detecting and mitigating a
passing the golden ticket attack and there are essentially no technical details on how to perform
the attack. The RSA Conference slides provides some redacted PowerShell script commands that
invoke mimikatz to build a golden ticket, but little technical discussion on implanting an attack
from beginning to end. The report describes what access and artifacts are required to build a
golden ticket, but it does not provide any technical details in achieving the required level of
access or pivoting to collect the necessary artifacts.
(S//NF) The pass-the-ticket attack is similar to pass-the-hash attack except that a Kerberos ticket
is passed instead of an NTLM/LanMan hash. As with the case with pass-the-hash attacks, the
pass-the-ticket attack is a two-step process:
1. Capture the credential from memory of a compromised host, the Kerberos ticket (TGT or ST)
in this case. This requires:
a. Having control on a compromised host in the target network (via spear phishing, social
engineering, etc.).
b. Having high privilege or SeDebug privileges on the compromised host (privilege
escalation tools can be used once a beachhead is established). Elevated privileges allow
access to memory (i.e., LSASS) and enables credential harvesting from memory.
2. Replay the ticket to access resources:
a. Once the credential is harvested, the attacker can use it to gain access to other resources
such as another host or server (pivot). The mimikatz tool provides utilities to extract the
Kerberos credentials from a target memory dump and craft a golden ticket from the
credentials harvested.
b. A Kerberos golden ticket representing a privileged user on the target can enable the
attacker to copy the entire Active Directory from the target.
(S//NF) The preceding description of a pass-the-ticket attack is the level of detail provided by the
report, i.e. no technical details on how to implement the attack from gaining access to leveraging
the ticket, simply a high level overview of the pass-the-ticket attack taxonomy.
(S//NF) Although an interesting and well-written report, there are no technical details sufficient
to warrant a PoC recommendation.
2.0 (U) Description of the Technique
(S//NF) Not applicable as no PoCs are recommended.