- Tactics
- Credential Access
- Platforms
- Windows
- Reference
- attack.mitre.org/techniques/T1558.001
Description
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket.(Citation: AdSecurity Kerberos GT Aug 2015) Golden tickets enable adversaries to generate authentication material for any account in Active Directory.(Citation: CERT-EU Golden Ticket Protection)
Using a golden ticket, adversaries are then able to request ticket granting service (TGS) tickets, which enable access to specific resources. Golden tickets require adversaries to interact with the Key Distribution Center (KDC) in order to obtain TGS.(Citation: ADSecurity Detecting Forged Tickets)
The KDC service runs all on domain controllers that are part of an Active Directory domain. KRBTGT is the Kerberos Key Distribution Center (KDC) service account and is responsible for encrypting and signing all Kerberos tickets.(Citation: ADSecurity Kerberos and KRBTGT) The KRBTGT password hash may be obtained using OS Credential Dumping and privileged access to a domain controller.
How GTK Cyber trains on this
GTK Cyber's hands-on training programs cover detection engineering across the MITRE ATT&CK framework, including the Credential Access tactic this technique falls under. Our practitioner-led courses focus on building real detections, not just memorizing technique IDs.
Related techniques
- T1003 — OS Credential Dumping
- T1040 — Network Sniffing
- T1056 — Input Capture
- T1110 — Brute Force
- T1111 — Multi-Factor Authentication Interception
- T1187 — Forced Authentication
- T1212 — Exploitation for Credential Access
- T1528 — Steal Application Access Token
- T1539 — Steal Web Session Cookie
- T1552 — Unsecured Credentials
- T1555 — Credentials from Password Stores
- T1556 — Modify Authentication Process