Keeping attackers out: golden tickets, silver tickets, and full domain recovery

Johann Scheepers, Incident Response Consultant
March 31, 2021

For an organization to recover fully from an incident, the attacker responsible must not only be removed, but eradicated. That means severing their way back in. Golden ticket attacks are well-recognized and have been known to give attackers access to their target’s systems for years, but they are not the only means for them to totally and repeatedly compromise a domain.

This short paper is a guide to Kerberos-based attacks that exploit legitimate functionality in Active Directory (AD). It includes guidance on how to remediate golden and silver ticket use, reset KRBTGT, and recover fully from domain controller compromise. Written from an incident response perspective, readers will come to appreciate the scale of the risk associated with both types of attack and discover the means with which this risk can be remediated.

What you’ll learn:

  • A more effective way to remediate the use of golden tickets in your environment than doing it manually
  • How to reset KRBTGT
  • Why silver ticket attacks need just as much attention as their golden equivalent
  • How to remediate them
  • Why it is so challenging to detect golden and silver ticket attacks in the first place
  • How to recover from a domain controller compromise, step-by-step
  • The other factors to prepare for and consider in your domain recovery plan
Accreditations & Certificates

F-Secure Consulting (F-Secure Cyber Security (Pty) Ltd) is a level 4 contributor to B-BBEE with a procurement recognition level of 100%. Learn more and download our B-BBEE certificate. Click here to read the press release.

Follow us
@fsecure_consult F-Secure-Consulting f-secure-foundry fsecurelabs