Golden Ticket

A Golden Ticket attack is a sophisticated type of cyber attack against Windows Active Directory (AD) environments, in which an attacker gains full and persistent access to the AD domain by forging Kerberos Ticket Granting Tickets (TGTs). This allows the attacker to impersonate any user within the domain, including highly privileged accounts like domain administrators.

The Golden Ticket attack leverages the Kerberos Authentication protocol used in Windows environments. It occurs when an attacker obtains the Hash of the Kerberos Key Distribution Center (KDC) service account, known as the KRBTGT account. By forging a valid TGT using this Hash, the attacker can create tickets that are valid indefinitely, bypassing typical Authentication and access controls.

The purpose of a Golden Ticket attack is to gain persistent, unrestricted access to an organisation’s entire domain environment. It is often used as part of Advanced Persistent Threats (APTs) and allows attackers to escalate privileges, move laterally within the network, and exfiltrate sensitive data over an extended period. This makes it a highly dangerous and impactful form of attack.

Golden Ticket attacks typically begin with the attacker obtaining administrative or elevated access to the domain, allowing them to compromise the KRBTGT account Hash. Using tools like Mimikatz, the attacker forges TGTs that grant them virtually unlimited access to domain resources. The forged tickets can remain valid even if regular user passwords are changed, as they rely on the KRBTGT Hash. Detecting and mitigating Golden Ticket attacks requires resetting the KRBTGT account password twice (to break the chain of trust), implementing stringent access controls, and monitoring for suspicious Kerberos ticket activity.

Examples of Golden Ticket attacks include advanced Threat Actors compromising an enterprise network and using forged tickets to escalate privileges, maintain persistence, and exfiltrate sensitive data over a long period. This attack technique has been documented in real-world breaches involving sophisticated adversaries and nation-state actors.

Golden Ticket attacks are challenging to detect because they Exploit the core Authentication mechanism of Active Directory. Effective mitigation involves strict control of administrative access, regular auditing of privileged accounts, monitoring for anomalies in Kerberos ticketing behaviour, and prompt rotation of KRBTGT account passwords in the event of a compromise.