Skip to content
Vol. 1 · Ed. 2026
CyberGlossary
Entry № 500

Golden Ticket

Reviewed byCybersecurity entrepreneur & security researcher

What is Golden Ticket?

Golden TicketA forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.


A Golden Ticket is a TGT crafted offline by an attacker who has obtained the krbtgt account's password hash, typically through a DCSync replication attack or by compromising a domain controller. Because every Kerberos TGT in a domain is signed by krbtgt, anyone holding that hash can mint tickets for arbitrary users, groups, and validity periods, granting persistent domain dominance. MITRE ATT&CK tracks the technique as T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket).

The forgery works because a domain controller does not verify a TGT it issued against any server-side state — it trusts that a TGT decryptable with the krbtgt key is authentic, and reads the embedded PAC (Privilege Attribute Certificate) to decide group membership. An attacker can therefore inject arbitrary SIDs, such as the Enterprise Admins group (RID 519), directly into the PAC. Microsoft's MS14-068 patch (CVE-2014-6324) hardened PAC signature validation against a related forgery where a low-privileged user faked a PAC without the krbtgt hash; a genuine Golden Ticket still works post-patch because it is signed with the real krbtgt key.

Because krbtgt is a service account whose password almost never changes, a single ticket can stay valid for years and survives full credential resets of every other user — a favourite NotPetya- and APT-era persistence trick. The only reliable eviction is rotating the krbtgt password twice in succession (the account retains current and previous keys), which invalidates all outstanding tickets.

flowchart TD
  A[Compromise domain controller] --> B[Extract krbtgt hash<br/>via DCSync or LSASS dump]
  B --> C[Forge TGT offline<br/>mimikatz kerberos::golden]
  C --> D[Inject privileged SIDs into PAC<br/>e.g. Domain / Enterprise Admins]
  D --> E[Pass-the-Ticket into a logon session]
  E --> F[Request service tickets for any resource]
  F --> G[Persistent domain dominance]
  H[Rotate krbtgt twice + audit DCSync] -.defends.-> B

Mitigations include rotating the krbtgt password twice after any DC compromise, restricting and auditing DCSync (directory replication) rights, deploying tier-0 administration, and hunting for anomalous tickets — absurdly long lifetimes, accounts with no preceding AS-REQ, or event 4769 requests for users that never performed an interactive logon.

Examples

  1. 01

    Mimikatz kerberos::golden command creating a 10-year TGT for a fake user marked as Domain Admin.

  2. 02

    Post-compromise persistence where the attacker can re-enter the domain even after passwords are reset.

Frequently asked questions

What is Golden Ticket?

A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain. It belongs to the Attacks & Threats category of cybersecurity.

What does Golden Ticket mean?

A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.

How do you defend against Golden Ticket?

Defences for Golden Ticket typically combine technical controls and operational practices, as detailed in the full definition above.

Related terms

See also