{"id":2495,"date":"2016-01-05T23:01:38","date_gmt":"2016-01-06T04:01:38","guid":{"rendered":"https:\/\/adsecurity.org\/?p=2495"},"modified":"2017-12-04T13:51:57","modified_gmt":"2017-12-04T18:51:57","slug":"mimikatz-update-fixes-forged-kerberos-ticket-domain-field-anomaly-golden-ticket-invalid-domain-field-event-detection-no-longer-works","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=2495","title":{"rendered":"Mimikatz Update Fixes Forged Kerberos Ticket Domain Field Anomaly – Golden Ticket Invalid Domain Field Event Detection No Longer Works"},"content":{"rendered":"

In late 2014, I discovered that the domain field in many events in the Windows security event log are not properly populated when forged Kerberos tickets are used. The key indicator is that the domain field is blank or contains the FQDN instead of the short (netbios) name and depending on the tool used to generate the Kerberos tickets, other domain field anomalies may be present in the events.
\nThe likely reason for the anomalies is that third party tools that create Kerberos tickets (TGT & TGS) don\u2019t format the tickets exactly the same way as Windows does.<\/p>\n

Around this time last year (early January 2015), I shared with customers these indicators for detecting forged Kerberos tickets and subsequently presented this information at BSides Charm 2015. Soon after, Mimikatz was updated with a domain field that was set to static values, usually containing the string \u201ceo.oe\u201d.<\/p>\n

As of 4\/16\/2015: Mimikatz generated tickets may include the string \u201ceo.oe.kiwi : ) <\/a>\u201d in the domain field.
\nAs of 6\/29\/2015: Mimikatz generated tickets may include the string \u201c<3 eo.oe \u2013 ANSSI E><\/a>\u201d in the domain field.<\/p>\n

Few things in life are as consistent as the guarantee that things will change. In infosec, that means the attack tools will continue to evolve to evade detection and the defensive tools need to constantly evolve and improve.<\/p>\n

If you protect your Active Directory admins (and service accounts), you will likely not have to deal with forged Kerberos Tickets since they require prior admin access. The problem is that Active Directory & Enterprises are often not secured to protect against modern threats<\/a> and often, gaining Domain Admin rights to an AD domain is often too easy in many enterprises<\/a>.<\/p>\n

<\/p>\n

Detecting forged Kerberos tickets, including Golden Tickets and Silver Tickets, by identifying for domain field anomalies is likely no longer possible<\/strong>. As of the Mimikatz update dated 1\/5\/2016<\/a>, forged Kerberos tickets no longer include a domain anomaly since the netbios domain name is placed in the domain component of the Kerberos ticket<\/a>.<\/p>\n

Mimikatz code diff:<\/span>
\n\"GT-DomainFieldUpdate-20150105\"<\/a><\/p>\n

This means that attackers using the Mimikatz version dated 1\/5\/2016<\/a> and\/or Invoke-Mimikatz with this updated DLL will likely not trigger alerts based on the invalid domain fields I identified in the past<\/a>.<\/p>\n

User behavior analysis tools such as Microsoft Advanced Threat Analytics (ATA)<\/a> is the best current method to detect this and other attack types. The best way to detect Golden Tickets is to correlate TGS requests to prior TGT requests. If there’s no prior TGT request (within a threshold), then the TGS request may be related to a Golden Ticket.<\/strong><\/em><\/p>\n

Golden Ticket event from using Mimikatz <\/a>dated (11\/2015): Has the an invalid domain value (\u201c<3 eo.oe \u2013 ANSSI E><\/a><\/em>\u201c)<\/strong><\/p>\n

\"Mimikatz-GoldenTicket-DomainField-201511-02\"<\/a><\/p>\n

Golden Ticket event from using Mimikatz <\/a>dated (1\/\/05\/2015):<\/strong>\u00a0 Has the correct domain value (\u201cRD\u201d)\"Mimikatz-GoldenTicket-DomainFieldUpdate-20160105-02\"<\/a><\/p>\n

 <\/p>\n

I have updated the appropriate references:<\/p>\n