A Golden Ticket attack abuses the Kerberos authentication protocol by forging Ticket-Granting Tickets (TGTs) using the KRBTGT account’s password hash. In Active Directory, the KRBTGT account is a special account used by the Key Distribution Center (KDC) to encrypt and sign Kerberos tickets. If an attacker compromises the KRBTGT hash, they can mint tickets that grant them virtually unlimited access across the domain essentially giving them "golden" credentials.

MITRE ATT&CK ID: T1558.001

1- Understanding the Attack

• KRBTGT Context:

  The KRBTGT account’s password hash is the secret used by the KDC to create and sign TGTs. Compromising this hash allows attackers to forge TGTs that are trusted by all domain controllers.

• Mechanism:

  By forging a TGT with the KRBTGT hash, an attacker can impersonate any user, mint new service tickets, and gain full control over Active Directory resources. Unlike Silver Ticket attacks (which target individual service accounts), Golden Ticket attacks provide broad, domain-wide access.

2- Steps of a Golden Ticket Attack

a. Compromise the KRBTGT Hash

• Objective:

  Gain administrative privileges and extract the KRBTGT password hash.

• Example Tool & Command:

  Use Mimikatz with the DCSync method:

  mimikatz.exe "lsadump::dcsync /user:DOMAIN\\KRBTGT"
  
  

• Outcome:

  The command outputs the NTLM and/or AES password hashes for the KRBTGT account.

b. Forge a Kerberos Ticket-Granting Ticket (TGT)

• Process:

  With the compromised KRBTGT hash, use Mimikatz (or similar tools) to mint a forged TGT.

• Example Command:

  mimikatz.exe "kerberos::golden /domain:domain.com /sid:S-1-5-21-5840559-2756745051-1363507867 /aes256:ffa8bd983a5a03618bdf577c2d79a467265f140ba339b89cc0a9c1bfdb4747f5 /user:NonExistentUser /groups:513,2668 /ptt"
  
  

• Parameters Explained:

  • /domain: The fully qualified domain name
  • /sid: The domain SID
  • /aes256: The AES-256 hash of the KRBTGT account (alternatively, /ntlm or /rc4 can be used)
  • /user: The username to impersonate
  • /groups: Group RIDs to include in the ticket (first group is the primary group)
  • /ptt: Injects the forged ticket into the current session

c. Use the Forged Ticket

• Result:

  The forged TGT (Golden Ticket) is accepted by any domain controller, enabling the attacker to request service tickets for any resource.

• Example Use Case:

  Accessing databases, file shares, or other Kerberos-integrated resources across the network.