The KRBTGT account is a critical local account within Active Directory, serving as a Key Distribution Center (KDC) service account for domain controllers.
This account type is used by applications or services to interact programmatically with other applications, services, or systems.
Attackers often target the KRBTGT account because gaining access to it can provide unconstrained access to the domain. This facilitates privilege escalation and persistence through attacks like the Golden Ticket attack.
The KRBTGT account, a default account in all Active Directory domains, is responsible for the Ticket Granting Ticket (TGT). If an attacker compromises the KRBTGT account, they gain control over the domain controller.
By accessing the KRBTGT account's hash, which is used to encrypt Kerberos tickets, attackers can create a forged TGT, known as a Golden Ticket, with unlimited lifetime and full domain privileges.
This Golden Ticket allows them to request and forge additional Ticket Granting Service (TGS) tickets, granting access to specific resources or services.
Utilizing tools like mimikatz.exe, attackers can dump the KRBTGT NTLM hash and domain SID to generate a Golden Ticket, enabling Pass-the-Ticket (PtT) attacks to move laterally and access any machine within the domain.
Summary:
- The KRBTGT account in Active Directory is crucial for domain security but is often targeted by attackers to create forged Kerberos tickets, granting unrestricted access and enabling lateral movement within the network.
- Using tools like
mimikatz, attackers can exploit this account to escalate privileges and maintain persistence.