Active Directory · Term

What is a Golden Ticket?

A Golden Ticket is a forged Kerberos ticket signed with the stolen KRBTGT key, letting an attacker impersonate anyone in the domain for as long as they like. Here is what a Golden Ticket is, how it is made, and why it means a domain rebuild.

Active Directory · TermAll services
TL;DR

A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created with the domain’s KRBTGT password hash. Because every Domain Controller trusts anything signed with that key, the attacker can mint a ticket claiming to be any user in any group, including Domain Admins, valid for years and independent of password changes. It is the ultimate Active Directory persistence, and it requires first stealing the KRBTGT hash, usually via DCSync after reaching Domain Admin.

By John Dill, Red Team Lead, SecureLayer7Updated

What a Golden Ticket is

Kerberos issues every user a TGT signed with the KRBTGT account’s password hash, and the whole domain trusts that signature. A Golden Ticket is an attacker forging their own TGT using a stolen KRBTGT hash.

The forged ticket can claim any identity and any group membership the attacker wants, and the Domain Controllers accept it because the signature checks out. It does not depend on the impersonated user’s password, so changing that password does nothing.

How it is forged and payload

A Golden Ticket needs the KRBTGT hash first, then the forgery:

  • Steal the KRBTGT hash via DCSync: lsadump::dcsync /user:krbtgt (Mimikatz) or secretsdump.py -just-dc-user krbtgt ...
  • Forge and inject the ticket: kerberos::golden /user:Administrator /domain:corp.local /sid:<SID> /krbtgt:<hash> /ptt
  • Or with Rubeus: Rubeus.exe golden /rc4:<krbtgt-hash> /user:Administrator /domain:corp.local /sid:<SID>

From there the attacker acts as a Domain Admin. Documented techniques shown for defenders.

How to defend

  • Protect Tier 0 so attackers cannot reach the KRBTGT hash via DCSync in the first place.
  • Rotate the KRBTGT password regularly, and twice after any suspected compromise.
  • Restrict replication rights so DCSync is hard to perform.
  • Detect anomalies: tickets with unusual lifetimes or accounts that exist only in the ticket are Golden Ticket signs.
  • Monitor for DCSync from non-DC sources, the usual precursor.

References

  1. [1]Microsoft: Kerberos Authentication Overview(Microsoft)
  2. [2]MITRE ATT&CK Enterprise Matrix(MITRE)
  3. [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)
Related terms

Common questions

Active Directory, asked often

Need your Active Directory tested?

Scope an engagement

Test your Active Directory before an attacker does.

We run internal and Active Directory penetration tests that follow the real path from one low-privilege user to Domain Admin, then hand your team a report with reproducible evidence and a fix for every step. Free re-test included.

See all services30-min scoping call, fixed-price proposal in 48 hours.