Red Monday: The Golden Ticket Playbook

TTP of the Week - Golden Ticket Attack

Category: Credential Access -> Privilege Escalation -> Domain Persistence

MITRE ATT&CK ID: T1558.001 - Golden Ticket

What It Is

Kerberos uses Ticket Granting Tickets (TGTs) to authenticate users without re-prompting for credentials.

The KRBTGT account, a hidden domain account is the key to signing those tickets. If an attacker steals the KRBTGT NTLM hash, they can forge TGTs for any user, with any privileges, valid for any duration.

How It Works

Gain Domain Controller Access: Pass-the-Hash to DA account, NTLMv2 relay, exploiting DC services.
Steal KRBTGT Hash:

mimikatz # lsadump::dcsync /user:krbtgt

Forge TGT:

kerberos::golden /user:Administrator /domain:corp.local /sid:S-1-5-21-XXXXX /krbtgt:HASH /id:500

Inject Ticket: Load into current session:

mimikatz # kerberos::ptt ticket.kirbi

Operate with DA Access: Access file shares, DCs, Exchange, backup servers undetected.

OPSEC Considerations

Avoid overuse; defenders may see anomalies in ticket lifetime or souce.
Change KRBTGT password twice to fully invalidate forget tickets.

Kill Chain of the Week: "Phish to DA in 5 steps"

Reconnaissance (TA0043)

Passive OSINT: Gather employee emails, job roles, and tech stack via LinkedIn, Crunchbase, GitHub commits.
Infrastructure Discovery: Identify login portals (VPN, OWA, Citrix) using tools like crt.sh, Shodan.

Initial Access (TA0001)

Craft spear-phish email with corporate branding.
Attach malicious Word document containing obfuscated VBA macro that executes PowerShell, Downloads stager from a redirector domain to avoid direct C2 fingerprinting.

Execution (TA0002) & Persistence (TA0003)

Stager injects Cobalt Strike beacon into explorer.exe (process injection).
Creates hidden scheduled task (AdobeUpdater) to run daily and re-establish connection.

Privilege Escalation (TA0004) & Lateral Movement (TA0008)

Deploy SharpHound to enumerate AD relationships.
Identify service account with unconstrained delegation.
Kerberoast service ticket, crack hash offline, use creds to access more sensitive systems.

Credential Access (TA0006) & Domain Dominance

Use mimikatz for DCSync to pull KRBTGT hash.
Forge Golden Ticket for Administrator with 10-year validity.
Gain persistent DA access across the forest.

Case Study: 2015 U.S. Office of Personnel Management Breach

Timelines of Events:

March 2014: Initial Detection

DHS's U.S. Computer Emergency Response Team alerts OPM's CIRT that a third party detected data exfiltration from OPM's network.
OPM tracks the intruder's movements to better understand their methods.
During monitoring, the adversary steals IT manuals and key user documentation, effectively mapping the entire environment for future exploitation.

May 2014: Second Intruder & Credential Abuse

While OPM focuses on the first hackers, a second actor gains access via a contractor's valid credentials.
This intruder installs malware and creates a network backdoor, enabling persistent, stealthy access.
This separation of intrusions shows advanced operational security by the threat actors.

July 2014 - March 2015: Data Exfiltration at Scale

Security clearance background files, personnel records, and fingerprint data are stolen.
The adversary maintains persistence for nine months, evading detection.
Likely leveraged elevated authentication artifacts (such as forged Kerberos tickets) to move laterally and blend with legitimate traffic.

April 2015: Full Compromise Realization

OPM becomes aware of the depth of the breach.
At this stage, both the initial and secondary intrusions had already facilitated the theft of millions of sensitive records.
The scale and persistence mirror Golden Ticket TTPs, once the KRBTGT key is obtained, removing the adversary becomes exponentially harder.

The OPM hack explained: Bad security practices meet China’s Captain AmericaCSO Online

Actors: Believed to be state-sponsored (likely APT10, APT3 overlap).

Initial Access: Likely via spear-phishing and credential theft.

Domain Compromise: Attackers escalated to Domain Admin within weeks

Golden Ticket Use:

Dumped KRBTGT account hash from a compromised Domain Controller using DCSync.
Forget tickets with long expiration times (sometimes last 1 year) to avoid re-forging and reduce operational noise.

Persistence Impact: Even after partial remediation, attackers could re-enter the network without re-exploitation because KRBTGT wasn't rotated twice.

Detection Failures:

No alerting on anomalous ticket lifetimes.
No strict monitoring of privileged account use.

Result: Over 21 million records stolen, including sensitive SF-86 background check forums.

Takeaway for Operators: Golden Ticket gives you god-mode, but the real tradecraft is blending in ticket lifetime manipulation, using non-admin accounts, and careful pivoting are key to staying undented

Practical Lab

Level 1: Guided Intro (TryHackMe)

Room: Attacktive Directory
Focus: Understand AD structure, privilege escalation, and ticket basics.
Golden Ticket Segment: Simulates extracting KRBTGT and forging ticket with Mimikatz.
Outcome: Learn the prerequisites for Golden Ticket (Domain Admin or DCSync rights).

Level 2: Realistic Engagement (HackTheBox)

Machines: Forest & Active
Outcome: Experience a multi-stage AD compromise with Golden Ticket persistence in a semi-blind environment.

Level 3: Controlled Training (PentesterLab)

Module: Active Directory & Kerberos Attacks (Custom Pro Lab).
Focus: Kerberos ticket structures, service ticket abuse, and TGT forging.
Outcome: Understand Kerberos internals deeply, allowing you to craft tickets manually with tools like Rubeus instead of relying on Mimikatz defaults.

Level 4: Web-to-AD Hybrid (PortSwigger Custom Labs)

Setup: Create a hybrid lab where a vulnerable internal web app leads to AD compromise.
Flow: SQL injection -> webshell -> credential theft -> lateral movement -> DC compromise -> Golden Ticket.
Outcome: Learn how non-AD exploits can become AD persistence points via KRBTGT.

Level 5: Custom Lab (Full Simulation)

Domain Controllers (Primary and Backup) x2
Member Servers x2
Workstation x2
Attack Host (Kali or Windows C2) x1

Closing Words

The Golden Ticket isn't just a persistence trick, it's a declaration of dominance over an entire Active Directory forest. In the hands of an operator, it turns a foothold into a permanent backdoor; in the hands of a threat actor, it's a nightmare that can outlast patch cycles, password resets, and incident response playbooks.

Mastering this TTP means understanding every stage: from obtaining Domain Admin rights without burning your access, to extracting the KRBTGT hash without tipping off detection, to forging tickets that blend into the noise of legitimate traffic.

PreviousMalicious Document Reader on Google Play: Anatsa Banking Malware on 50,000 Devices NextBlue Tuesday: Detecting & Mitigating LOTL (Living off the Land) Attacks

Last updated 6 months ago

Was this helpful?

Good morning

hashtagTTP of the Week - Golden Ticket Attack

hashtagWhat It Is

hashtagHow It Works

hashtagOPSEC Considerations

hashtagKill Chain of the Week: "Phish to DA in 5 steps"

hashtagReconnaissance (TA0043)

hashtagInitial Access (TA0001)

hashtagExecution (TA0002) & Persistence (TA0003)

hashtagPrivilege Escalation (TA0004) & Lateral Movement (TA0008)

hashtagCredential Access (TA0006) & Domain Dominance

hashtagCase Study: 2015 U.S. Office of Personnel Management Breach

hashtagTimelines of Events:

hashtagPractical Lab

hashtagLevel 1: Guided Intro (TryHackMe)

hashtagLevel 2: Realistic Engagement (HackTheBox)

hashtagLevel 3: Controlled Training (PentesterLab)

hashtagLevel 4: Web-to-AD Hybrid (PortSwigger Custom Labs)

hashtagLevel 5: Custom Lab (Full Simulation)

hashtagClosing Words