Threats
T1558.001Golden Ticket Attack
How attackers forge Kerberos TGTs using the KRBTGT hash to impersonate any user in Active Directory — and how analysts can detect it.
View on Graph
What It Is
- A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) created using the NTLM hash of the
KRBTGTaccount — the root of trust for all Kerberos authentication in an Active Directory domain. - The technique maps to MITRE ATT&CK
T1558.001(Steal or Forge Kerberos Tickets) for Credential Access andT1098(Account Manipulation) for Persistence. - The name comes from Charlie and the Chocolate Factory — except here the prize is unrestricted access to every system in the domain.
How Golden Tickets Work — The Mechanics
Step 1: Steal the KRBTGT Hash
The attacker needs the NTLM hash of the KRBTGT account. To get it, they must compromise a Domain Controller or extract it from a backup.
How attackers get the KRBTGT hash:
| Method | Tool | Prerequisites |
|---|---|---|
| DCSync (most common) | Mimikatz lsadump::dcsync /user:krbtgt | Domain Admin or equivalent privileges (Control Access Right: DS-Replication-Get-Changes) |
| NTDS.dit extraction | ntdsutil, DiskShadow, vssadmin | Local Admin on the Domain Controller |
| LSASS dump | Mimikatz sekurlsa::krbtgt | SYSTEM privileges on the Domain Controller |
| Backup access | Any tool that can read the backup | Access to the system state backup or VHD file of the DC |
Step 2: Forge the TGT
Using the KRBTGT hash, the attacker can create a TGT that Kerberos will trust implicitly. The forged TGT includes:
| Field | What the Attacker Controls | Typical Abuse |
|---|---|---|
| User ID (RID) | Any value | 500 (built-in Administrator) or 519 (Enterprise Admin) |
| Group SIDs | Any group membership | Add “Domain Admins” and “Enterprise Admins” SIDs |
| Account name | Any name | Administrator, krbtgt, or a legitimate-looking name |
| Domain | Any domain in the forest | corp.local, or the forest root domain |
| Lifetime | Up to 10 years | 10 years — persistent access without re-authentication |
| Ticket encryption key | Attacker chooses | Same as stolen KRBTGT key |
Step 3: Authenticate with the Forged Ticket
The attacker uses Mimikatz’s kerberos::golden command to create the ticket, then kerberos::ptt (Pass the Ticket) to inject it into their current session:
mimikatz# kerberos::golden /domain:corp.local /sid:S-1-5-21-xxxx /rc4:KRBTGT_HASH /user:Administrator /id:500 /groups:512,513,518,519,520 /pttFrom this point, the attacker can access any resource in the domain as a Domain Admin — without any further authentication. No Event IDs are generated on the target servers because Kerberos validates the TGT against the DC… and the DC trusts the forged ticket.
Detection — No Silver Bullet, But These Signals Help
Golden Ticket attacks are hard to detect because the forged TGT looks valid to Kerberos. But there are specific anomalies that signal a forged ticket is in use.
Detection 1 — Unusual Ticket Lifetime (Event ID 4768)
The most reliable detection signal. Legitimate TGTs have a lifetime of 10 hours (default Windows Kerberos policy). A forged TGT can last up to 10 years.
What to look for: Event ID 4768 (Kerberos Authentication Service — TGT Request) with a TicketOptions field indicating a lifetime longer than 10 hours.
SPL query — detect anomalous TGT lifetime:
index=windows sourcetype="WinEventLog:Security" EventCode=4768
| rex field=Message "Ticket Lifetime: (?<lifetime_hours>\d+)h"
| where lifetime_hours > 10 AND lifetime_hours < 87600 (max ~10 years)
| stats values(TargetUserName) as RequestedUser, values(TicketOptions) as Options, values(lifetime_hours) as Lifetime by ClientAddress, AccountName
| eval alert = "CRITICAL — abnormal TGT lifetime of " . Lifetime . "h from " . ClientAddress . " (normal: 10h)"
| table _time, ClientAddress, AccountName, RequestedUser, Lifetime, alertNote: Event 4768 is high-volume. Filter by lifetime > 10 hours to reduce noise. Some admin tools may request tickets with slightly different lifetimes — baseline your environment first.
Detection 2 — Impossible Authentication Source
A Golden Ticket does not require the attacker to authenticate to the DC. The ticket is forged offline and injected directly into the Kerberos session. This means:
- Event 4624 (successful logon) on the target server will show the forged user identity
- But there will be no corresponding authentication event (4768) from the attacker’s workstation
- The attacker appears to be “authenticated” without any authentication record
What to look for: A successful logon (4624) for a privileged user (Domain Admin) from a workstation IP that does not have a corresponding TGT request (4768) for that user in the same time window. The user logged in without ever asking for a ticket.
SPL query — detect logon without corresponding TGT request:
index=windows sourcetype="WinEventLog:Security" EventCode=4624
| search TargetUserName="Administrator" OR TargetUserName="krbtgt" OR TargetUserSid="-500" OR TargetUserSid="-519"
| eval time_window = bin(_time, 60)
| join type=left time_window, TargetUserName [search index=windows sourcetype="WinEventLog:Security" EventCode=4768 | eval time_window = bin(_time, 60) | stats values(TargetUserName) as AuthUsers by time_window, TargetUserName]
| where isnull(AuthUsers)
| eval alert = "CRITICAL — possible Golden Ticket: " . TargetUserName . " logged on from " . WorkstationName . " without TGT request"
| table _time, TargetUserName, WorkstationName, IpAddress, alertDetection 3 — Same KRBTGT Hash, Multiple Domains
In multi-domain forests, the KRBTGT account has a different hash per domain. But some attackers forge tickets across domains using a single KRBTGT hash.
What to look for: Event 4768 for a user in Domain A authenticating to a resource in Domain B, where the KRBTGT hash used in the authentication matches Domain A’s hash but the resource is in Domain B. This is technically normal (cross-domain trust), but if the authentication path is unusual, investigate.
Detection 4 — Anomalous TGS Requests (Event ID 4769)
After the forged TGT is used, the attacker requests TGS tickets for resources. If the forged user suddenly starts accessing resources they have never accessed before, this is anomalous.
What to look for: A user with Domain Admin privileges requesting TGS tickets for dozens of servers they have never accessed in their normal work pattern.
Detection 5 — Privileged User Not Tracked in Jump Box Audit
A Golden Ticket user does not need to log into a jump box or bastion host. If you see privileged access from a workstation that should not have direct admin access to the target, correlate with jump box logs.
Response to Golden Ticket — The Only Fix
A Golden Ticket can only be invalidated by resetting the KRBTGT password twice. This is the only remediation that works:
- Reset KRBTGT password once — this invalidates existing TGTs that were signed with the old hash. However, because of Kerberos replication delays and ticket renewal windows, a single reset may not fully purge the environment.
- Wait for replication — allow 10-24 hours for the new hash to replicate to all Domain Controllers.
- Reset KRBTGT password a second time — ensures all tickets signed with either the original or the first-reset hash are invalidated.
How to perform the KRBTGT reset:
# Reset KRBTGT password (run on a Domain Controller)
Reset-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword1" -Force)
# Force replication to all DCs
repadmin /syncall /AdeP
# After 10-24 hours, reset again
Reset-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewPassword2" -Force)Before resetting, verify:
- Are any services using the KRBTGT hash for Kerberos trust relationships? Some trusts rely on the KRBTGT hash. Test trust functionality after the first reset.
- Are all Domain Controllers healthy and replicating? A broken DC will not pick up the new password, leaving old tickets valid on that DC.
- Do you have a rollback plan? Maintain a backup of the current KRBTGT hash (stored securely) in case the reset causes authentication failures.
Prevention
| Control | What It Stops | Limitation |
|---|---|---|
| Protect Domain Controllers | Prevents KRBTGT hash theft | The primary control — if the DC is secure, the hash stays secure |
| Credential Guard | Prevents LSASS dump of KRBTGT | Only on Windows 10/11 Enterprise. Does not prevent DCSync. |
| RDP restriction to jump boxes | Limits access to DC from non-admin workstations | Requires network segmentation |
| Protected Users group | Deny NTLM, constrain Kerberos to AES only | Reduces Kerberos attack surface but does not prevent hash theft from DC |
| Monitor 4768 lifetime anomalies | Detects forged tickets in use | Misses tickets with normal lifetimes (attacker sets ticket lifetime to match user’s environment baseline) |
| KRBTGT password rotation | Limits window of exploitation | Microsoft recommends password rotation only during recovery — regular rotation is not standard practice |
Related
- Kerberoasting — detection and response for T1558.003 techniques
- Pass-the-Hash — detection and response for T1550.002 techniques
- Active Directory Basics — covers the active directory basics concepts
- Credential Theft Incident Response — detection and response for T1558.001, T1003.001, T1134 techniques
- Mimikatz — detection and response for T1003 techniques