TL;DR
A Golden Ticket attack forges a Kerberos TGT by compromising the KRBTGT account in Active Directory, giving attackers unlimited, stealthy domain access that can persist for months. It’s one of the most dangerous post-exploitation techniques known. Detection requires monitoring specific Windows Event IDs and Kerberos anomalies. Full remediation requires resetting the KRBTGT account password twice and using a specialized forest recovery solution to undo malicious changes.
Among all cybersecurity threats, only a few attacks are as insidious and potentially damaging as the Golden Ticket attack. Unlike ransomware or brute-force hacking, which often leave visible traces, the Golden Ticket attack operates under the radar, giving hackers a secret passage into the heart of a company’s most valuable data: its Active Directory (AD) configuration.
Active Directory is a critical component of many corporate networks. It manages user accounts, permissions, and login information. Hackers can exploit weak points in Active Directory’s security system, specifically the Kerberos authentication protocol. This lets them create a “Golden Ticket”: a master key that unlocks almost anything on the network. Once inside, they can move around undetected, gain more access, steal confidential information, and potentially maintain a hidden presence for extended periods.
A Golden Ticket attack is a sophisticated cyberattack that targets Active Directory, the core identity and access management system for many organizations. Kerberos works by issuing “tickets” to users and services, verifying their identities and authorizing access to specific resources. A Golden Ticket is a forged ticket that tricks the system into believing the attacker is a domain administrator.
To create a Golden Ticket, attackers first need to compromise the highly sensitive KRBTGT account within AD. This account holds the encryption keys used to sign and validate all Kerberos tickets. Once they have access to this account, attackers can generate their own Ticket-Granting Tickets (TGTs) that appear legitimate to the system. Armed with a Golden Ticket, they essentially become the all-powerful domain administrator, able to move laterally across the network, steal data, install malware, and cause widespread havoc.
To understand why a Golden Ticket attack is so dangerous, you first need to understand how Kerberos authentication works in Active Directory. When a user logs into a Windows domain, the following happens:
The KRBTGT account is the foundation of this entire process. Its password hash is the key used to sign and encrypt every TGT in the domain. If an attacker gets hold of this hash, they can forge their own TGTs: with any identity, any privileges, and any lifetime they choose. That’s a Golden Ticket.
A Golden Ticket attack typically unfolds in four stages:
Step 1: Initial Compromise and Privilege Escalation
The attacker first gains a foothold in the environment, often through phishing, credential theft, or exploiting an unpatched vulnerability. From there, they escalate privileges until they reach Domain Admin level, which gives them access to a domain controller.
Step 2: Extracting the KRBTGT Account Hash
Once on the domain controller, the attacker extracts the NTLM password hash of the KRBTGT account. This is typically done using tools like “Mimikatz” (using the “lsadump::dcsync” command) or “Impacket’s secretsdump.py” script. They also collect the domain name and domain SID (Security Identifier): both are needed to forge a valid ticket.
Step 3: Forging the Golden Ticket
With the KRBTGT hash, domain name, domain SID, and a username to impersonate in hand, the attacker uses Mimikatz’s “kerberos::golden” function (or Impacket’s “ticketer.py”) to generate a forged TGT. This ticket can:
Step 4: Using the Golden Ticket
The forged TGT is injected into the attacker’s current session. From this point, the attacker can request legitimate TGS tickets for any service in the domain, access file shares, databases, email systems, and domain controllers: all while appearing to be a legitimate, trusted user. Because the ticket is signed with the real KRBTGT key, it passes all validation checks. Key danger: Even if the compromised user account’s password is changed, the Golden Ticket remains valid until the KRBTGT account password is reset twice.
This technique of injecting and reusing stolen or forged tickets is closely related to Pass the Ticket attacks, which similarly abuse Kerberos without needing account passwords.
Cayosoft Guardian provides advanced threat detection, continuous change monitoring, and automated remediation capabilities to help protect against Golden Ticket attacks and other cyber threats. Click here to learn more.
Golden Ticket attacks are part of a family of Kerberos-based attacks. Here’s how they compare:
Attribute | Golden Ticket | Silver Ticket | Diamond Ticket |
What’s forged | TGT (domain-wide) | TGS (single service) | Real TGT, modified |
Account compromised | KRBTGT | Service / machine account | KRBTGT (AES256 key) |
Access scope | Entire domain | One specific service | Entire domain |
DC contact after forging | No | No | Yes (initial TGT only) |
Persistence risk | Very high | Moderate | Very high |
Detection difficulty | High | Very high | The Highest |
Golden Ticket attacks are formally classified in the MITRE ATT&CK framework as:
This classification reflects the dual nature of the attack: it is both a credential theft technique (stealing the KRBTGT hash) and a persistence mechanism (maintaining long-term, stealthy access via forged tickets).
The consequences of a successful Golden Ticket attack are far-reaching and severe. With unrestricted access to Active Directory, attackers can:
In healthcare environments, a Golden Ticket attack doesn’t just threaten data, it threatens the continuity of care. With patient records, scheduling systems, and even medical devices often tied into Active Directory, attackers gaining domain-level access can cause significant operational disruption. Worse, their stealthy presence may go undetected for weeks, exposing sensitive health data and triggering compliance violations. Cayosoft’s identity management solutions for healthcare help mitigate this risk by enforcing least-privilege access, monitoring privileged accounts, and giving IT teams real-time insight into changes within Active Directory, ensuring attackers can’t move freely without being noticed.
The fallout from a Golden Ticket attack can be catastrophic for any organization. Recovering from such a breach is often time-consuming, costly, and can severely damage a company’s reputation and customer trust. This is why proactive measures to prevent and mitigate Golden Ticket attacks are essential for any organization that relies on Active Directory.
TA428, August of 2022: The Chinese-speaking APT group TA428 conducted a surge of successful Golden Ticket attacks against military-industrial enterprises and public institutions, using forged Kerberos TGTs to impersonate users and move laterally across sensitive networks.
Antlion, 2020–2021: Chinese-linked APT group ran an 18-month campaign against financial institutions in Taiwan. Among their tactics, the attackers used tools like Mimikatz to perform Golden Ticket techniques alongside custom backdoors to maintain persistent control of compromised networks.
APT29, 2024: In early 2024, Microsoft revealed that APT29 (also known as Cozy Bear, Midnight Blizzard, or Nobelium) behind the SolarWinds breach, has been documented using Golden Ticket attacks as a post-exploitation persistence technique across cyberespionage campaigns targeting government networks.
Golden Ticket attacks are designed to be stealthy, but they do leave traces if you know where to look.
Event ID | Description | What to Look For |
4769 | Kerberos Service Ticket requested | Unusual requests from privileged accounts; encryption downgrade from AES to RC4 |
4768 | Kerberos TGT requested | Service ticket requests (4769) with no corresponding TGT request — a primary Golden Ticket indicator |
4624 | Successful account logon | Logons from unexpected locations or outside normal hours for high-privilege accounts |
4627 | Group membership at logon | RID 500 appearing for accounts that shouldn’t have administrator privileges |
Beyond event logs, watch for these anomalies in your environment:
Cayosoft Guardian continuously monitors for these anomalies across your Active Directory environment, alerting security teams to suspicious Kerberos activity in real time.
While the impact of a Golden Ticket attack can be devastating, there are proactive steps organizations can take to protect their Active Directory environment and mitigate the risk of such a breach:
The KRBTGT account requires special attention beyond standard password policies:
Cayosoft Guardian provides advanced threat detection, continuous change monitoring, and automated remediation capabilities to help protect against Golden Ticket attacks and other cyber threats. Click here to learn more.
Traditional backup solutions often fall short in the face of a Golden Ticket attack. Because the attacker can operate with elevated privileges for an extended time, backups taken during this period may already be compromised. Simply restoring from a backup could inadvertently reinstate the attacker’s access and the damage they have caused.
This is where specialized forest recovery solutions come into play. These solutions go beyond simple backups, providing the ability to granularly restore individual objects within Active Directory, such as users, groups, and even specific attributes. This allows organizations to pinpoint and undo malicious changes made by the attacker without having to roll back the entire directory to a potentially vulnerable state.
Furthermore, these solutions often include features like change tracking and historical comparisons, enabling security teams to identify exactly when and how the attack occurred. This information is invaluable for understanding the extent of the compromise and implementing measures to prevent future attacks.
Cayosoft Guardian is a leading forest recovery solution designed to help organizations recover quickly and effectively from Active Directory attacks, including Golden Ticket attacks. With its granular restoration capabilities and advanced change tracking features, Cayosoft Guardian ensures that your Active Directory environment can be restored to a secure and healthy state, minimizing downtime and preventing further damage.
If you suspect a Golden Ticket attack has occurred, or if a Domain Admin account has been compromised, you must reset the KRBTGT account password twice. A single reset is not sufficient. The KRBTGT account maintains two password versions. The first reset invalidates tickets created with the current password. The second reset invalidates tickets created before the first reset. Both resets are required to fully invalidate all potentially forged Golden Tickets. The reset procedure:
Use a PowerShell script to safely reset the password on all domain controllers. Microsoft MVP Jorge de Almeida Pinto has published a widely used script on GitHub (search: “New-KrbtgtKeys.ps1″) that includes a simulation mode to test replication before making changes.
The default Kerberos TGT lifetime is 10 hours. Waiting ensures all legitimate TGTs issued before the first reset expire naturally. If 10 hours isn’t feasible, you can temporarily reduce the TGT lifetime to 5 hours and monitor for issues.
After the waiting period, perform the second reset.
After each reset, confirm that the new password has replicated to all domain controllers. The “msDS-KeyVersionNumber” attribute on the KRBTGT account should increment by 1 with each reset.
Users with active sessions may need to re-authenticate. Monitor for service interruptions and Kerberos errors in your event logs.
Tip: if your environment has read-only domain controllers (RODCs), additional steps are required. RODCs cache KRBTGT passwords separately and must be handled individually.
A Golden Ticket attack poses a serious threat to Active Directory environments, enabling attackers to cause widespread damage and disruption. This stealthy attack can persist for extended periods, making it difficult to detect and mitigate.
To safeguard Active Directory, organizations must adopt a multi-layered approach. This involves implementing strong security measures like robust password policies, regular account audits, and least privilege principles. Continuous monitoring and logging are essential for identifying anomalies that could indicate a Golden Ticket attack.
However, even the best defenses can be breached. In such cases, specialized forest recovery solutions like Cayosoft Guardian offer a lifeline for restoring Active Directory integrity and minimizing the impact of a breach. By enabling granular restoration and providing insights into changes made within AD, Cayosoft Guardian helps organizations recover quickly and effectively, ensuring business continuity and safeguarding critical data.
Schedule a demo to learn how you can improve the security of your Active Directory against all types of attacks, including the Golden Ticket attack.
Unlike ransomware or phishing attacks, a Golden Ticket attack is a post-exploitation technique that gives hackers long-term, stealthy access to your network. It’s particularly dangerous because it exploits a core vulnerability in Active Directory, the control center for many corporate networks.
A Golden Ticket compromises the KRBTGT account to forge TGTs, granting domain-wide access to all resources. A Silver Ticket compromises a service account to forge TGS (service) tickets, granting access only to that specific service. Golden Tickets are broader and more dangerous. Silver Tickets are narrower but even harder to detect because they never contact the Key Distribution Center after creation.
Attackers typically gain a Golden Ticket by compromising the KRBTGT account, a highly sensitive account within Active Directory that holds the keys to the Kerberos authentication system. Once they have access to this account, they can forge their own “Golden Tickets” that grant them administrative privileges.
By default, Kerberos TGTs are valid for 10 hours. However, a forged Golden Ticket can be set with any lifetime: attackers commonly configure them to remain valid for 10 years. This means a Golden Ticket can persist in your environment long after the initial breach, making it critical to reset the KRBTGT account password twice to invalidate all forged tickets.
Golden Ticket attacks are notoriously difficult to detect because they often leave no obvious traces. However, some potential indicators include unusual activity from privileged accounts, failed login attempts from unexpected locations, and anomalies in Kerberos authentication logs.
While standard security measures like firewalls and antivirus software are important, they may not be enough to detect and prevent a Golden Ticket attack. This type of attack requires specialized tools and techniques for detection and mitigation.
Recovering from a Golden Ticket attack can be challenging, as traditional backups may be compromised. Specialized solutions like Cayosoft Guardian offer granular restoration capabilities for Active Directory, allowing you to pinpoint and undo malicious changes made by the attacker.