Attacks and exploitsIdentity and accessAdvanced28 min read

What Is Golden ticket? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

A golden ticket is a fake security pass that an attacker creates after stealing the master password of a Windows domain. With this ticket, the attacker can pretend to be any user, including the most powerful admin, and access anything in the network. It bypasses normal login checks and is extremely hard to detect without special monitoring.

Common Commands & Configuration

mimikatz # kerberos::golden /domain:contoso.com /sid:S-1-5-21-3623811015-3361044348-30300820 /krbtgt:deadbeefdeadbeefdeadbeefdeadbeef /user:Administrator /id:500 /groups:500,501,513,512,520,518,519 /ptt

Generates a forged Golden Ticket for the domain contoso.com using the krbtgt NTLM hash, setting the user to Administrator (RID 500) with Domain Admins group membership, and injects it into the current session (ptt = pass-the-ticket).

Tests understanding of the golden ticket command syntax, including the /sid (domain SID), /krbtgt (hash), /id (user RID), and /groups flags. Mimikatz is the most common tool used in exam scenarios for Golden Ticket attacks.

Rubeus.exe golden /rc4:deadbeefdeadbeefdeadbeefdeadbeef /user:Administrator /id:500 /domain:contoso.com /sid:S-1-5-21-3623811015-3361044348-30300820 /ptt

Uses Rubeus to craft a Golden Ticket with the same parameters as Mimikatz, but specifically for .NET environments. The /rc4 flag specifies the NTLM hash of the krbtgt account.

Rubeus is a modern alternative to Mimikatz that often appears in exam questions about .NET-based attack tools. The /rc4 parameter denotes the NTLM hash (RC4-HMAC encryption).

Get-ADUser krbtgt -Properties * | fl Name, SID, PasswordLastSet, NTHash

Retrieves the krbtgt account details from Active Directory using PowerShell, including its SID and password last set time. The NTHash is not usually returned; this command is used to verify the account exists and check when the password was last changed.

Exams test that the krbtgt account's password hash must be extracted via domain admin access (e.g., using Mimikatz lsadump::dcsync), not directly via Get-ADUser. This command shows the account metadata but not the hash.

klist purge

Purges the current user's Kerberos ticket cache on a Windows machine. After a Golden Ticket is injected, this command removes all tickets, potentially clearing the forged ticket if it was injected into the session.

Used to demonstrate ticket management. In exams, it may be used to force re-authentication after a password change, but it will not remove a Golden Ticket that was persisted in memory via /ptt.

nltest /DSGETDC:contoso.com

Lists the domain controllers for the specified domain. This command helps an attacker identify which machines to target for extracting the krbtgt hash or which DC to query for service tickets.

Often part of enumeration phase before a Golden Ticket attack. Exams test that attackers need to know the domain SID and DC IP before generating the ticket.

Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString "NewP@ssw0rd!" -AsPlainText -Force)

Resets the password for the krbtgt account. This is part of the mitigation process, but remember that a single reset may not invalidate all existing tickets. A second reset after 10-24 hours is required.

This command appears in mitigation-focused exam questions. The key point is that the krbtgt password must be changed twice to fully protect against Golden Tickets that were forged before the reset.

repadmin /replsum /bysrc /bydest /sort:delta

Checks replication status between domain controllers. After resetting the krbtgt password, this command ensures the password change has replicated to all domain controllers before performing the second reset.

Ensures replication completeness. Exams test that krbtgt password changes must be fully replicated domain-wide before the second reset to avoid availability issues.

Golden ticket appears directly in 12exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CompTIA CySA+. Practise them →

Must Know for Exams

The Golden Ticket attack is a high-priority topic for security-related certification exams such as CompTIA Security+, Certified Ethical Hacker (CEH), and CISSP. In CompTIA Security+, it appears under domain 2.0 (Architecture and Design) and domain 4.

0 (Operations and Incident Response), specifically in the context of credential attacks and privilege escalation. For CEH, golden ticket attacks are part of the post-exploitation and lateral movement modules. In CISSP, it is discussed in domain 3 (Security Architecture and Engineering) regarding authentication protocols, and domain 7 (Security Operations) for monitoring and detection.

Microsoft-specific exams, such as those for Azure Security Engineer (AZ-500) or Windows Server Hybrid Administrator (AZ-800), include golden ticket attacks as part of securing Active Directory. For these exams, the primary objective is to understand the attack flow: the attacker extracts the KRBTGT hash (usually via DCSync or domain admin compromise), forges a TGT with arbitrary user and group SIDs, and then uses that TGT to request service tickets for domain resources. Exam questions often test the mitigation steps, such as resetting the KRBTGT password twice, implementing tiered admin models, using Protected Users security group, and enabling Kerberos armoring.

Questions may also ask which tool is commonly used for golden ticket creation (Mimikatz) or which event ID to monitor (4768 and 4769). In scenario-based questions, you might be given logs showing a TGT request from a workstation for a domain admin account, which should indicate a golden ticket attack. The takeaway for exam takers is to memorize the attack components: KRBTGT hash, DCSync, Mimikatz, TGT forgery, and the dual password reset mitigation.

Do not confuse golden ticket with silver ticket, which only targets a specific service.

Simple Meaning

Imagine a large office building that uses a smart card system to let people enter. Each employee gets a badge from a central security desk, and that badge lets them into the areas they are allowed to be in. The security desk has a special master key that can create any badge for anyone.

Now imagine a thief breaks into the security desk, steals the master key, and uses it to print a new badge that says they are the CEO. That fake badge is a golden ticket. Inside the building, every door scanner trusts the badge and lets the thief into any room, including the server room, the CEO’s office, and the finance vault.

The real security system never questions the badge because it was made with the master key, which the system was designed to trust unconditionally. In a Windows network, the master key is the password hash of a special account called KRBTGT. When an attacker gets that hash, they can forge a Kerberos ticket granting ticket, which is the golden ticket.

With it, they can impersonate any user, including domain administrators, and access every computer, file, and service in the network. No one can tell the ticket is fake because it was cryptographically signed with the correct master key. The only way to stop this attack is to protect the KRBTGT password hash and to monitor for unusual ticket usage patterns.

Full Technical Definition

The Golden Ticket attack is a post-exploitation privilege escalation technique in Microsoft Active Directory environments. It exploits the Kerberos authentication protocol, specifically the trust relationship between the Key Distribution Center (KDC) and domain members. In Kerberos, authentication begins when a user requests a Ticket Granting Ticket (TGT) from the KDC’s Authentication Service (AS). The AS validates the user's password hash, then creates a TGT encrypted with the KRBTGT account’s password hash. The KRBTGT account is a special built-in domain account whose password hash is known only to the domain controllers. This hash is the key that all domain members use to decrypt and verify TGTs.

An attacker who has already gained domain admin rights or local admin on a domain controller can extract the KRBTGT password hash using tools like Mimikatz, DCSync, or ntdsutil. Once the hash is obtained, the attacker can forge a TGT for any user, including non-existent ones, with any group memberships, such as Domain Admins, Enterprise Admins, or Schema Admins. The forged TGT is created offline and does not require any interaction with the domain controller. The attacker sets the ticket’s validity period, which can be years, and specifies the user principal name and Security Identifiers (SIDs). The ticket is then injected into the attacker’s current logon session using Mimikatz, Rubeus, or other tools.

After the golden ticket is injected, the attacker can request service tickets (TGS) from the Ticket Granting Service (TGS) for any resource in the domain, such as file servers, databases, or domain controllers. The TGS trusts the forged TGT because it is encrypted with the KRBTGT hash and appears legitimate. The attacker can then access resources as the forged user, with all associated privileges. The attack works regardless of password changes made after the hash was stolen, because the KRBTGT password hash only changes when explicitly reset by an administrator. This gives the attacker persistent, undetectable access until the KRBTGT password is changed twice (due to historical replication requirements). Real IT implementations must consider that this attack bypasses all normal authentication logging because the domain controller itself creates the service tickets for the attacker, not the actual user. Detection requires advanced monitoring of event IDs 4768 and 4769 for abnormal patterns, such as a TGT requested for users with elevated privileges from non-domain-controller machines, or TGTs with unusually long lifetimes.

Real-Life Example

Think about a large hotel that uses a master key system. The hotel manager has a special key that can open every guest room, every storage closet, and every office. Each regular guest gets a key card that only opens their own room and the lobby.

Now suppose a dishonest maintenance worker manages to copy the manager’s master key. That worker now has a golden key. They can walk into any room, any time, without anyone questioning them.

The hotel’s locks are designed to work with that master key, so they click open every time. The worker can pose as a guest, steal items from rooms, access the hotel safe, or change room assignments. The hotel’s security cameras will show a person with a key opening doors, but it won’t show that the key was unauthorized.

The only way the hotel would know something is wrong is if they audit every door opening and notice unusual patterns, like the same key opening many rooms at odd hours. In the IT world, the hotel manager is the domain controller, the master key is the KRBTGT password hash, and the door locks are the Kerberos authentication system. The golden key is the forged TGT.

The attacker uses it to open any digital door in the network. The key point is that the system itself is designed to trust anything signed with that master key, so the attack is invisible to normal security checks. Prevention relies on protecting the master key fiercely and monitoring for suspicious access patterns.

Why This Term Matters

The Golden Ticket attack matters because it represents the ultimate compromise of a Windows domain. Once an attacker holds the KRBTGT password hash, they have the keys to the kingdom and can maintain access indefinitely, even if the domain admin passwords are changed. This is a fundamental failure in the Kerberos trust model.

For IT professionals, understanding this attack is critical because it demonstrates why the KRBTGT account must be treated as the most sensitive secret in the domain. It also shows the importance of tiered administration models, where domain controllers and identity infrastructure are isolated from lesser privileged systems. Real-world breaches have used golden ticket attacks to move laterally undetected for months, exfiltrating data and destroying backups before triggering ransomware.

For example, the NotPetya outbreak and several state-sponsored attacks used variations of this technique. From a defensive perspective, the attack forces organizations to implement privileged access workstations, regular KRBTGT password rotations, and advanced threat detection that monitors for anomalous Kerberos ticket requests. The attack also underscores the principle of least privilege because a single compromised domain admin account can lead to full domain takeover.

In short, this is not just an attack on a single machine; it is an attack on the entire identity fabric of the organization. Understanding it helps IT professionals design more resilient authentication systems and prioritize security investments where they matter most.

How It Appears in Exam Questions

In certification exams, questions about golden tickets appear in multiple formats: scenario-based, multiple choice, and hotspot/matching. A common scenario question describes a security analyst noticing unusual network traffic and event logs, and asks the candidate to identify the attack type. For example: An organization’s internal security team discovers that a domain admin account was used to access a file server from a workstation that is not part of the admin management subnet.

The account password was changed three months ago, but the access pattern continues. The logs show TGT requests for that account from the unknown workstation. The question asks what attack is being described.

The correct answer is a golden ticket attack because the attacker forged a TGT with the domain admin’s SID using the stolen KRBTGT hash, so password changes did not affect access. Another question format provides a list of tools and commands and asks which combination is used in a golden ticket attack. The correct choice includes Mimikatz (to extract the KRBTGT hash and forge the ticket) and DCSync (to retrieve the hash remotely).

Troubleshooting questions might present a situation where an administrator cannot access a resource after changing the domain admin password multiple times, and asks why the access persists. The answer is that the attacker used a golden ticket, which is not invalidated by password changes to user accounts, only by changing the KRBTGT password twice. Multiple-choice questions often include distractors like silver ticket, pass-the-hash, or DCSync attack.

The key is to recognize that golden ticket involves the KRBTGT account and domain-wide access, whereas silver ticket only affects a single service. Some questions ask for the correct mitigation order: (1) reset the KRBTGT password, (2) reset again after replication, (3) invalidate any remaining tickets. Finally, matching questions may ask to pair attack types with their definitions, where golden ticket matches with “forges a TGT using the KRBTGT hash.

Practise Golden ticket Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A multinational company, Acme Corp, has a Windows Active Directory environment with 5,000 users. The IT team follows best practices, including strong passwords and multi-factor authentication for admins. However, an attacker manages to phish a helpdesk employee who has local admin on a file server.

That file server is not a domain controller, but the attacker uses a privilege escalation exploit to move laterally and eventually compromise a domain controller. Once on the domain controller, the attacker runs Mimikatz and extracts the KRBTGT password hash. The attacker then forges a golden ticket for a user named “backup_admin” that does not actually exist in the directory, but the ticket includes SIDs for Domain Admins and Enterprise Admins.

The attacker injects the ticket into their session on a compromised workstation. Now, the attacker uses the forged ticket to request service tickets for the company’s main file server, the HR database, and the domain controller itself. The domain controller’s TGS happily issues service tickets because it trusts the forged TGT.

The attacker begins exfiltrating sensitive customer data from the HR database, accesses payroll records, and then encrypts file shares with ransomware. The security team detects the ransomware but cannot trace the initial access because the logs show legitimate TGS requests from the domain controller to the file server, with no indication of a brute force or phishing attack. The team eventually discovers the golden ticket by noticing a TGT request for a non-existent user from a workstation.

The attack persists for weeks because the admin team changes domain admin passwords, but forgot about the KRBTGT account. Only after resetting the KRBTGT password twice and auditing all issued tickets does the organization fully recover. This scenario shows how a single compromise can lead to a golden ticket that bypasses all normal security controls.

Common Mistakes

Thinking that changing the domain admin password will invalidate a golden ticket.

A golden ticket is forged using the KRBTGT password hash, not the domain admin's password. The ticket contains arbitrary SIDs, so changing the domain admin's password does not affect the forged ticket. The attacker's access continues until the KRBTGT password is changed twice.

Always reset the KRBTGT password twice after a suspected domain compromise, not just user passwords.

Believing that golden ticket attacks require the attacker to be on the domain controller.

While extracting the KRBTGT hash often requires admin access on a domain controller or a DCSync attack, the actual forging and injection of the golden ticket can be done from any machine on the network. The attacker can use tools like Mimikatz offline to forge the ticket and then inject it on a compromised workstation.

Monitor for DCSync attempts and unusual TGT requests from non-domain-controller machines, regardless of where the hash extraction occurred.

Confusing golden ticket with silver ticket attacks.

A silver ticket forges a service ticket for a specific service (like a file server) using the hash of the service account, while a golden ticket forges a TGT using the KRBTGT hash, granting access to all services in the domain. Silver tickets are limited in scope; golden tickets grant domain-wide privileges.

Remember: KRBTGT hash = golden ticket (master key for everything). Service account hash = silver ticket (key to one service).

Assuming that event logs will clearly show a golden ticket attack.

Golden ticket attacks are designed to be stealthy. The forged TGT is encrypted with the legitimate KRBTGT hash, so the domain controller treats it as valid. The resulting service ticket requests (event 4769) appear normal. Anomaly detection is required, such as TGT requests from unusual machines or users outside normal hours.

Implement behavioral analysis and monitor for TGT requests from workstations for domain admin accounts, especially if the workstation is not a domain controller.

Exam Trap — Don't Get Fooled

{"trap":"In a question, the exam presents a scenario where an attacker has a password hash for a service account (like a file server account) and creates a forged ticket for that account. The candidate is asked to identify the attack. Many learners choose 'golden ticket' because they see the word 'ticket' and high-level access."

,"why_learners_choose_it":"Learners often associate any forged Kerberos ticket with a golden ticket, without understanding the distinction in scope. The term 'golden ticket' sounds like a master key, so they assume it applies to any forged ticket that grants elevated access.","how_to_avoid_it":"Always check the hash used to forge the ticket.

If the hash is from the KRBTGT account, it is a golden ticket. If the hash is from a service account (e.g., for a file server, SQL service, or web service), it is a silver ticket. Golden tickets grant domain-wide access; silver tickets only grant access to the specific service associated with the account hash."

Commonly Confused With

Golden ticketvsSilver ticket

A silver ticket forges a service ticket using the hash of a computer account or service account, granting access only to a specific service. A golden ticket forges a TGT using the KRBTGT hash, granting domain-wide access. Silver tickets do not require the KRBTGT hash and are limited in scope, whereas golden tickets allow impersonation of any user in the domain.

If an attacker steals the hash of a file server account, they can create a silver ticket to access that one file server. If they steal the KRBTGT hash, they create a golden ticket to access all servers, databases, and workstations.

Golden ticketvsPass-the-hash (PtH)

Pass-the-hash uses a user's NTLM password hash to authenticate to a remote machine via NTLM. It does not involve the Kerberos protocol or the KRBTGT account. A golden ticket is a Kerberos-based attack that forges a TGT. PtH is limited to the specific user whose hash was stolen, while a golden ticket can impersonate any user, including non-existent ones.

An attacker steals Alice's NTLM hash and uses it to access Alice's folder on a file server (PtH). With a golden ticket, the attacker can access the same file server as Alice, Bob, or even the domain administrator, all with one forged ticket.

Golden ticketvsDCSync attack

DCSync is a technique that uses directory replication APIs to remotely extract password hashes, including the KRBTGT hash, from a domain controller. It is often a step in performing a golden ticket attack, but DCSync itself is not the same as forging a ticket. DCSync is the extraction method; golden ticket is the exploitation of that extracted data.

An attacker uses DCSync to remotely copy the KRBTGT hash from the domain controller. Then, they use Mimikatz to forge a golden ticket with that hash. DCSync is the burglary of the master key; golden ticket is using that key to open all doors.

Step-by-Step Breakdown

1

Privilege escalation to domain admin or access to domain controller

The attacker first needs to obtain administrative access to a domain controller or have domain admin credentials. This is often achieved through phishing, credential dumping from a compromised server, or exploiting a vulnerability. Without this initial access, the attacker cannot extract the KRBTGT password hash.

2

Extract the KRBTGT password hash

Using tools like Mimikatz, DCSync, or ntdsutil, the attacker extracts the password hash for the KRBTGT account from the Active Directory database. This hash is the cryptographic secret used to encrypt all TGTs in the domain. It is stored in the domain controller's memory and the NTDS.dit file.

3

Forge a Golden Ticket offline

The attacker runs Mimikatz or Rubeus on any machine (not necessarily a domain controller) with the following parameters: the KRBTGT hash, the domain name, the domain SID, and the target user's SID (often Domain Admins). The tool creates a forged TGT that is encrypted with the KRBTGT hash, making it appear legitimate.

4

Inject the Golden Ticket into the current logon session

The attacker uses Mimikatz's 'kerberos::ptt' command to inject the forged TGT into the current Windows logon session. Once injected, the operating system treats the ticket as valid. The attacker now has a Kerberos identity with all the privileges of the forged user (e.g., Domain Admins).

5

Request service tickets for target resources

With the forged TGT in memory, the attacker requests TGSs from the domain controller's TGS for any service they want to access, such as CIFS (file shares), LDAP (directory queries), or HOST (remote management). The domain controller sees the valid TGT and issues service tickets without further authentication.

6

Access resources and maintain persistence

The attacker uses the obtained service tickets to access file servers, databases, email servers, and domain controllers. Because the golden ticket does not expire until the attacker sets it to, and because the KRBTGT password rarely changes, the attacker can maintain access for months or years, even if the compromised domain admin account password is reset.

Practical Mini-Lesson

The Golden Ticket attack teaches a critical lesson for IT professionals: the KRBTGT account is the single most sensitive credential in an Active Directory domain. In practice, protecting it requires a multi-layered approach. First, domain controllers must be treated as tier-zero assets, meaning only extremely limited and hardened administrative accounts should be able to log onto them. This reduces the attack surface for extracting the KRBTGT hash. Second, the DCSync attack must be mitigated by ensuring that only domain controllers and authorized administrators have the 'Replicating Directory Changes' rights. Review these rights regularly and remove any excessive permissions. Third, implement the Protected Users security group in Active Directory, which prevents credential caching and forces the use of stronger Kerberos encryption, making offline hash extraction harder.

From a monitoring perspective, professionals should configure Windows Event Log auditing for Kerberos TGT requests (event ID 4768) and TGS requests (event ID 4769). Look for anomalies such as: a TGT request from a workstation for a domain admin account, TGT requests for accounts that do not exist in Active Directory, or multiple TGT requests for the same account from different machines in a short time. SIEM tools can be tuned to alert on these patterns. Enable Kerberos armoring (flexible authentication with FAST) which uses a secure channel to protect TGT requests from tampering.

What can go wrong in practice? The most common mistake is that organizations reset the KRBTGT password only once after a compromise. Due to Active Directory replication, a password change creates a window where old tickets are still valid on some domain controllers. Microsoft recommends resetting the KRBTGT password twice: once to invalidate all existing tickets, then again after replication completes to ensure all copies are synchronized. Another mistake is using the same KRBTGT password across multiple domains in a forest. If one domain is compromised, the attacker can forge tickets for other domains using trust relationships. For this reason, the KRBTGT password should be unique per domain and should be rotated periodically (e.g., every 365 days) even without a known compromise.

the practical takeaway is that golden ticket defense is about prevention, detection, and response. Prevention involves least privilege and tiered models. Detection requires behavioral analytics. Response demands a structured process including dual KRBTGT password resets and ticket revocation.

How Golden Ticket Attacks Exploit Kerberos Authentication

A Golden Ticket attack is one of the most severe threats in a Windows Active Directory environment because it grants an attacker virtually unlimited access to domain resources. The attack exploits the Kerberos authentication protocol, which is the default authentication mechanism in Windows domains. In Kerberos, the Key Distribution Center (KDC) issues Ticket-Granting Tickets (TGTs) after a user successfully authenticates. The TGT is encrypted with the secret key of the krbtgt account, a built-in domain account whose password hash is known only to the domain controllers. If an attacker gains domain administrator privileges and extracts the krbtgt password hash (specifically the NTLM hash), they can forge their own TGTs offline. This forged TGT can be crafted with any user identity, including the built-in Administrator account, and can set arbitrary group memberships such as Domain Admins. Once the attacker injects this forged TGT into a Kerberos session on a compromised machine, they can request service tickets for any resource in the domain, including file servers, databases, and domain controllers themselves.

The critical factor that makes Golden Ticket attacks so dangerous is persistence. Because the krbtgt account password is rarely changed, and when it is, it must be changed twice to fully invalidate old tickets, a forged TGT remains valid indefinitely as long as the krbtgt hash remains unchanged. The attacker does not need to maintain a foothold on the network; they can use the forged TGT offline and reuse it even after the original compromise is discovered and remediated. Golden Ticket attacks do not require any interaction with the domain controller after the initial hash extraction: the forged TGT is generated entirely on the attacker's machine using tools like Mimikatz or Rubeus. This makes detection extremely difficult because domain controllers never see the initial authentication request. Standard security monitoring tools that look for anomalous logon events may miss the attack entirely since the forged TGT is used to request service tickets without any corresponding authentication event on the KDC. Understanding this mechanism is vital for any IT security professional, as it underscores why protecting the krbtgt account hash is paramount. Organizations must implement privileged access workstations, restrict domain admin logins, and enforce regular krbtgt password rotations, often called "resetting the krbtgt password twice", to limit the window of exploitation. Exam questions frequently test the concept that the krbtgt hash is the "keys to the kingdom" and that the attack is possible without re-authentication to the KDC, highlighting the need for defense-in-depth strategies.

Detecting and Mitigating Golden Ticket Attacks in Active Directory

Detecting a Golden Ticket attack presents unique challenges because the forged TGT is never validated against the domain controller at the time of use. However, security professionals can implement several detection strategies that focus on anomaly-based monitoring and forensic analysis. One effective method is to monitor for unusual TGT lifetime values. Legitimate Kerberos TGTs issued by a domain controller have a default lifetime, typically 10 hours in modern Windows environments, configurable via Group Policy. Forged TGTs often have extraordinarily long lifetimes, sometimes set to years or even decades, because the attacker can arbitrarily specify the expiration time. Security Information and Event Management (SIEM) tools can alert when a TGT is used that exceeds the maximum allowed lifetime by a significant margin. Another detection technique involves monitoring for service ticket requests that use a TGT with an anomalous user account. For example, if a disabled or non-existent user account suddenly requests access to a high-value resource, that is a strong indicator of a forged TGT. Advanced threat detection platforms can analyze Kerberos traffic for inconsistencies in the TGT encryption type: legitimate TGTs use encryption keys derived from the domain's krbtgt account, but forged TGTs may use weaker or inconsistent encryption algorithms depending on the tool used to generate them. Event ID 4769 (a Kerberos service ticket was requested) combined with Event ID 4624 (logon) can be correlated to check for logon events that are absent prior to ticket usage, which is a hallmark of Golden Ticket attacks.

Mitigation requires a layered approach. The most critical step is to protect the krbtgt account password hash. This means limiting access to domain controllers and privileged accounts. Use of Group Managed Service Accounts (gMSA) for services that require elevated privileges can reduce the number of accounts with domain admin rights. Implementing Privileged Access Management (PAM) solutions, such as Microsoft's Just Enough Administration (JEA) and Just-In-Time (JIT) access, minimizes the window in which an attacker can extract the krbtgt hash. Regular rotation of the krbtgt password is essential: Microsoft recommends resetting the krbtgt password every 180 days, and doing so twice to invalidate existing forged tickets. The first reset does not immediately invalidate existing TGTs; a second reset after 10-24 hours ensures that all TGTs encrypted with the old hash are rejected. Detection-oriented tools like Microsoft Advanced Threat Analytics (ATA) or Azure ATP can identify Golden Ticket usage by analyzing abnormal Kerberos packet structures. Enabling Kerberos armoring (RFC 6113), also known as FAST (Flexible Authentication via Secure Tunneling), can add an extra layer of protection by requiring that TGT requests be protected by a pre-authentication key derived from the user's password, making offline forgery harder. In exam contexts, these mitigation strategies are often tested: candidates must know that resetting the krbtgt password is the only surefire way to invalidate a Golden Ticket, and that doing so twice is required for full effectiveness. Understanding the interplay between detection (anomalous TGT lifetime, missing logon events) and mitigation (hash protection, password rotation, armoring) is essential for both certification exams and real-world security operations.

Memory Tip

Gold = KRBTGT (the gold standard for domain authentication). If you see ‘gold,’ think ‘global’ access via the KDC master key.

Learn This Topic Fully

This glossary page explains what Golden ticket means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.What is the single most important secret that an attacker must obtain to successfully forge a Golden Ticket?

2.Why is a single password reset of the krbtgt account usually insufficient to invalidate all existing Golden Tickets?

3.Which Mimikatz command is used to extract the krbtgt NTLM hash from a domain controller?

4.An administrator suspects a Golden Ticket attack because a service ticket was requested for a high-value resource without a corresponding logon event. Which Windows Event ID should they focus on to detect this anomaly?

5.Which of the following is the most effective defense against Golden Ticket attacks?

6.An attacker has extracted the krbtgt hash and created a Golden Ticket. How long can they reuse that ticket if the domain does not change the krbtgt password?

Frequently Asked Questions

Can a golden ticket be used from a non-domain joined machine?

Yes, a golden ticket can be injected into a Kerberos session on any machine that has network access to a domain controller, regardless of whether it is domain joined. The machine must be able to communicate with the KDC to request service tickets using the forged TGT.

How long is a golden ticket valid?

The attacker sets the validity period when forging the ticket, often to years or even decades. The ticket remains valid until the KRBTGT password is changed and all old tickets are invalidated. Default Kerberos ticket lifetime policies do not apply because the ticket is forged offline.

Does a golden ticket work if the user does not exist in Active Directory?

Yes. The golden ticket can impersonate any user, including those that never existed. The ticket contains a user principal name and SID, but the domain controller does not check if the user is a current, valid account when the TGT is used to request a service ticket.

What is the difference between a golden ticket and a diamond ticket?

A golden ticket forges a TGT using the KRBTGT hash. A diamond ticket is a forged TGT that is decrypted and re-encrypted with a modified set of PAC attributes, but still uses the KRBTGT hash. Both achieve the same goal, but diamond tickets are harder to detect because they are based on a legitimate TGT that is tampered with.

Can multi-factor authentication (MFA) stop a golden ticket attack?

No, MFA does not stop a golden ticket attack because the attack happens after authentication. The forged TGT is presented to the KDC, which trusts it based on the KRBTGT hash, not on any secondary factor. MFA protects the initial logon process, but once the KRBTGT hash is stolen, MFA is irrelevant.

Is the golden ticket attack only possible on-premises?

The classic golden ticket attack targets on-premises Active Directory. However, similar concepts exist in hybrid environments where a compromised on-premises AD can be used to forge tickets for Azure AD Connect or to federate into cloud services. Cloud-only environments using Azure AD are not directly vulnerable because they do not use the KRBTGT account.

Summary

The Golden Ticket attack is one of the most powerful and dangerous post-exploitation techniques in Windows Active Directory environments. It allows an attacker who has obtained the KRBTGT password hash to forge a Kerberos TGT that grants unrestricted, domain-wide access to all resources. The attack is stealthy because the forged ticket is cryptographically legitimate, bypassing normal authentication checks and logging. For IT professionals, understanding this attack is not optional-it is a fundamental requirement for securing identity infrastructure. The key takeaway is that protecting the KRBTGT account is paramount: it must be treated as a jewel, with strict access controls, regular password rotations, and continuous monitoring for misuse.

From an exam perspective, the golden ticket is a frequent topic in security certifications like CompTIA Security+, CEH, and CISSP. Candidates must know the attack components: KRBTGT hash, Mimikatz, DCSync, and the dual password reset mitigation. They must also distinguish it from similar attacks like silver tickets and pass-the-hash. In real-world practice, the attack emphasizes the importance of tiered administration, privileged access workstations, and behavioral analytics. A single golden ticket can lead to complete organizational compromise, making it a critical focus area for anyone involved in IT security. Remember: the gold of the domain is the KRBTGT account-protect it as if the entire network depends on it, because it does.