Skip to main content
Support
AdvancedT1558.001

Golden & Silver Ticket Attacks

With the KRBTGT hash, attackers forge their own Kerberos tickets and become anyone in the domain — an invisible master key that survives password resets.

In Kerberos authentication, the Domain Controller creates tickets encrypted with a special account called KRBTGT. Every ticket that proves your identity (called a TGT) is encrypted with the KRBTGT password. If an attacker steals the KRBTGT password hash — usually via DCSync — they can create their own tickets from scratch. A "Golden Ticket" is a forged TGT that says "I am a Domain Admin" (or any user), and it is indistinguishable from a real one because it is encrypted with the correct key. A "Silver Ticket" is a forged service ticket for a specific service, created using that service account's password hash. Silver Tickets are stealthier because they never contact the Domain Controller.

A Golden Ticket is like counterfeiting the master key to every room in a hotel. The master key was created by the hotel manager (KRBTGT), and if you steal the mold, you can make a key that opens every door, forever — until the manager creates a brand new mold (changes the KRBTGT password twice). A Silver Ticket is like counterfeiting a key to one specific room using the room's lock pattern (service account hash). It only opens that room, but the front desk never knows you have it because you never went through the front desk.

Try It Yourself

Key Takeaways

  1. Golden Tickets are forged TGTs — they grant access to everything in the domain.
  2. The KRBTGT password must be changed TWICE to invalidate Golden Tickets.
  3. Silver Tickets are stealthier — they target specific services and bypass DC logging.
  4. Diamond Tickets modify legitimate TGTs, making them the hardest to detect.
  5. Sapphire Tickets use S4U2Self to obtain a real PAC from the KDC, then embed it in a forged ticket — the stealthiest variant.
  6. Regular KRBTGT password rotation (every 180 days) limits the window for Golden Ticket attacks.
Why Should I Care?

Golden Tickets represent the ultimate persistence mechanism in AD. Once an attacker has the KRBTGT hash, they have an invisible master key that can last for years if the KRBTGT password is not rotated.

Defense Recommendations

Rotate the KRBTGT password regularly, monitor for anomalous Kerberos tickets, and deploy advanced threat detection.

  1. 1Rotate the KRBTGT password twice in succession every 180 days (using a controlled process with 12-24 hour gap between resets).
  2. 2Monitor Event ID 4769 for unusual encryption types (RC4 when AES is enforced) or impossible ticket lifetimes.
  3. 3Enable PAC validation on critical services via the ValidateKdcPacSignature registry key.
  4. 4Deploy Microsoft Defender for Identity to detect Golden Ticket and Silver Ticket usage.
  5. 5Alert on TGT usage from IP addresses that do not match the user's normal workstation.
  6. 6Use AES-only Kerberos (disable RC4) to make ticket forging more difficult and more detectable.

Related Topics

DCSync AttackPass-the-Hash & Pass-the-TicketAD Persistence TechniquesGolden SAML & Federation Attacks
Sources
AD CS Abuse (Certificate Attacks)
AD Persistence Techniques
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org