Golden Ticket
What is Golden Ticket?
Golden TicketA forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.
A Golden Ticket is a TGT crafted offline by an attacker who has obtained the krbtgt account's password hash, typically through a DCSync replication attack or by compromising a domain controller. Because every Kerberos TGT in a domain is signed by krbtgt, anyone holding that hash can mint tickets for arbitrary users, groups, and validity periods, granting persistent domain dominance. MITRE ATT&CK tracks the technique as T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket). Mitigations include rotating the krbtgt password twice after any DC compromise, restricting and auditing DCSync rights, deploying tier-0 administration, and hunting for anomalously long-lived or impossible TGTs.
● Examples
- 01
Mimikatz kerberos::golden command creating a 10-year TGT for a fake user marked as Domain Admin.
- 02
Post-compromise persistence where the attacker can re-enter the domain even after passwords are reset.
● Frequently asked questions
What is Golden Ticket?
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain. It belongs to the Attacks & Threats category of cybersecurity.
What does Golden Ticket mean?
A forged Kerberos Ticket-Granting Ticket signed with the krbtgt account hash that lets attackers impersonate any principal in a domain.
How does Golden Ticket work?
A Golden Ticket is a TGT crafted offline by an attacker who has obtained the krbtgt account's password hash, typically through a DCSync replication attack or by compromising a domain controller. Because every Kerberos TGT in a domain is signed by krbtgt, anyone holding that hash can mint tickets for arbitrary users, groups, and validity periods, granting persistent domain dominance. MITRE ATT&CK tracks the technique as T1558.001 (Steal or Forge Kerberos Tickets: Golden Ticket). Mitigations include rotating the krbtgt password twice after any DC compromise, restricting and auditing DCSync rights, deploying tier-0 administration, and hunting for anomalously long-lived or impossible TGTs.
How do you defend against Golden Ticket?
Defences for Golden Ticket typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- identity-access№ 584
Kerberos
A ticket-based network authentication protocol that uses symmetric cryptography and a trusted Key Distribution Center to enable secure single sign-on across services.
- defense-ops№ 682
Mimikatz
An open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
- identity-access№ 013
Active Directory
Microsoft's enterprise directory service for Windows networks, providing centralized authentication, authorization, and policy management for users, computers, and resources.
- attacks№ 1045
Silver Ticket
A forged Kerberos service ticket (TGS) created with the password hash of a target service account, granting silent access to that one service.
- attacks№ 791
Pass-the-Ticket
An Active Directory attack that reuses a stolen Kerberos ticket to impersonate a user or service without ever knowing the underlying password.
- defense-ops№ 817
Persistence
The MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response.
● See also
- № 107BloodHound