The Sapphire Ticket Attack: A Sneaky Kerberos Exploit Explained

The Sapphire Ticket Attack is a stealthy cyberattack targeting Microsoft Active Directory’s Kerberos authentication. It allows attackers to impersonate high-privileged users, like Domain Admins, by exploiting Kerberos trust. This concise blog explains the attack, why it’s dangerous, and how to protect your network. Perfect for readers new to cybersecurity or busy admins looking for quick insights!

What is the Sapphire Ticket Attack?

The Sapphire Ticket Attack manipulates Kerberos tickets to gain unauthorized access. Kerberos, used in Active Directory, authenticates users via Ticket Granting Tickets (TGTs) and Service Tickets, which include a Privilege Attribute Certificate (PAC) listing user privileges. Attackers forge a TGT by replacing its PAC with one from a privileged user, granting them elevated access.

Unlike Golden or Diamond Tickets, Sapphire Tickets use legitimate components, making them hard to detect. It’s a favorite for attackers seeking stealthy privilege escalation or lateral movement.

How Does It Work?

Here’s a simplified breakdown:

1. Steal KRBTGT Hash: Attackers compromise a domain controller to extract the KRBTGT account’s hash, used to encrypt TGTs.

2. Get a Legitimate TGT: Using a low-privileged account, they request a valid TGT.

3. Grab a Privileged PAC: They use Kerberos extensions (S4U2Self and U2U) to obtain a PAC from a high-privileged user, like a Domain Admin.

4. Forge the Ticket: The TGT’s PAC is replaced with the privileged PAC, and the ticket is re-encrypted with the KRBTGT hash.

5. Gain Access: The forged TGT is used to access services as the privileged user.

Tools like Mimikatz, Rubeus, or Impacket automate this process.

Why Is It Dangerous?

• Stealthy: Uses legitimate tickets and PACs, blending into normal Kerberos traffic.

• Powerful: Grants Domain Admin-level access, enabling full network compromise.

• Hard to Detect: Standard logs may not flag the attack due to its use of valid components.

How to Detect It

• Monitor Logs: Check Event IDs 4768 (TGT requests) and 4769 (TGS requests) for unusual activity, like low-privileged accounts requesting privileged tickets.

• Spot Delegation Abuse: Look for odd S4U2Self or U2U requests in logs (e.g., Enc-tkt-in-skey).

• Track KRBTGT Access: Audit attempts to extract the KRBTGT hash via DCSync (Event ID 4662).

• Use EDR/SIEM: Tools like Splunk or CrowdStrike can detect tool usage (e.g., Mimikatz commands).

How to Prevent It

1. Rotate KRBTGT Password: Reset it twice every 180 days or after a breach.

2. Harden Kerberos: Disable RC4, enable PAC validation, and limit S4U2Self/U2U delegation.

3. Apply Least Privilege: Reduce Domain Admin accounts and use the Protected Users Group.

4. Patch Systems: Apply Microsoft’s CVE-2021-42287 patch to enforce new PAC structures.

5. Monitor and Segment: Use EDR, log Kerberos events, and segment networks to protect domain controllers.

Conclusion

The Sapphire Ticket Attack is a sneaky way attackers exploit Kerberos to take over Active Directory. Its use of legitimate tickets makes it tough to spot, but with proper monitoring, patching, and security practices, you can defend your network. Stay vigilant, keep your KRBTGT account secure, and regularly audit your AD environment.

Want More? Check out The Hacker Recipes for technical details or leave a comment for tips tailored to your setup!