Golden Ticket Attack Allows Broad Network Access
Picus Security explains the Golden Ticket attack, a MITRE ATT&CK technique that can grant attackers extensive and persistent access to corporate networks.

Cybersecurity firm Picus Security has released a detailed analysis of the Golden Ticket attack, a technique identified as T1558.001 within the MITRE ATT&CK framework. This advanced attack method can grant unauthorized actors broad and long-lasting access to an entire enterprise network's resources, including files and servers.
The Golden Ticket attack involves exploiting the Kerberos authentication protocol used in Windows networks. When successful, an attacker can breach a system, escalate privileges to domain administrator, and steal credentials for the krbtgt account. These credentials allow for the creation of forged Kerberos tickets that function as legitimate access tokens, granting the attacker near-unfettered access to the network.
Picus Security's analysis delves into how the attack is performed using common tools such as Impacket and Mimikatz. It also discusses the potential impacts of the attack on organizations and provides suggestions for detection and mitigation.
Combating this threat requires robust security measures, including strong password policies and continuous network activity monitoring. Fully negating an active Golden Ticket attack necessitates changing the krbtgt account's password twice, highlighting its deep impact on network security.