🔒 Secure Bits 💡
𝟯 𝗖𝗹𝗮𝘀𝘀𝗶𝗰 𝗔𝗗 𝗣𝗲𝗿𝘀𝗶𝘀𝘁𝗲𝗻𝗰𝗲 𝗧𝗲𝗰𝗵𝗻𝗶𝗾𝘂𝗲𝘀 𝗬𝗼𝘂 𝗦𝗵𝗼𝘂𝗹𝗱 𝗞𝗻𝗼𝘄
Even in 2025, some of the most powerful techniques used to maintain unauthorized access in Active Directory environments remain the old classics — and they still work when conditions allow.
🟡 𝗚𝗼𝗹𝗱𝗲𝗻 𝗧𝗶𝗰𝗸𝗲𝘁
A forged Kerberos TGT created using the secret key of the 𝗞𝗥𝗕𝗧𝗚𝗧 account.
It allows impersonation of any user, with any group membership, for as long as the attacker wants.
➡️ Requires: Access to the KRBTGT account’s Kerberos key (e.g. via DCSync or NTDS dump)
➡️ Effect: Complete domain access
➡️ Tools: Mimikatz, Rubeus, Impacket
🟠 𝗦𝗶𝗹𝘃𝗲𝗿 𝗧𝗶𝗰𝗸𝗲𝘁
A forged Kerberos Service Ticket (𝗧𝗚𝗦) created using the key of a specific 𝘀𝗲𝗿𝘃𝗶𝗰𝗲 𝗮𝗰𝗰𝗼𝘂𝗻𝘁 or computer account.
It grants access to a particular service — like CIFS, HTTP, MSSQL — on a targeted system.
➡️ Requires: Service/computer account key (NTLM or AES)
➡️ Effect: Targeted access to a service, without ever contacting the Domain Controller
➡️ Tools: Mimikatz, Rubeus, Impacket
⚫ 𝗦𝗸𝗲𝗹𝗲𝘁𝗼𝗻 𝗞𝗲𝘆
An in-memory 𝗽𝗮𝘁𝗰𝗵 𝘁𝗼 𝘁𝗵𝗲 𝗟𝗦𝗔𝗦𝗦 process on a Domain Controller (WS 2019 max).
Allows a universal password for all domain accounts — while legitimate passwords still work.
➡️ Requires: Admin access to a DC
➡️ Effect: Silent backdoor that lasts until reboot
➡️ Tools: Mimikatz
🛡️ 𝗗𝗲𝗳𝗲𝗻𝘀𝗶𝘃𝗲 𝗠𝗲𝗮𝘀𝘂𝗿𝗲𝘀
✅ Rotate KRBTGT and DSRM passwords regularly
✅ Use managed service accounts (gMSA) to reduce ticket forging opportunities
✅ Monitor Kerberos activity: anomalies in ticket lifetimes, encryption types, logon patterns
✅ Enable LSASS protection and alert on memory manipulation
✅ Apply least privilege and segment administrative access
🧠 These aren’t theoretical — they’re practical, still relevant, and part of every serious AD security assessment.
📝 Full articles by Martin Handl:
https://iqunit.com/silver-ticket-angriff/
https://iqunit.com/golden-ticket-angriff/
https://iqunit.com/skeleton-key-angriff/
