Skip to main content
Support

Golden Ticket

Forge Unlimited Domain Access

Forge a Kerberos TGT using the KRBTGT hash to impersonate any user — the ultimate AD persistence mechanism providing unrestricted domain access.

Advanced~6 minT1558.001
Prerequisites:KRBTGT account NTLM hash (from DCSync or NTDS.dit)Domain SIDMimikatz or Rubeus
1

Gather Required Information

Golden Ticket — Step 1/4
PS C:\Tools>

Click or press Enter to skip

Step 1: Get Domain SID

Retrieve the domain's Security Identifier (SID). This is needed to construct a valid TGT because the SID identifies the domain in all Kerberos tickets.

We need two things to forge a Golden Ticket: the domain's unique identifier (SID) and the KRBTGT password hash (which we already obtained via DCSync). The SID is easy to find — any domain user can look it up.

Detection Events
4662Directory service queried for domain SID
Attack Flow
Get domain SID
Attacker
KRBTGTHash
DomainController
Any DomainResource
Request
Response
Attack
Data
Back to all scenarios
SourceSudo

Content sourced from Microsoft Documentation, MITRE ATT&CK Framework, NIST SP 800-63/171, adsecurity.org (Sean Metcalf), SpecterOps research, and SANS Reading Room. For educational purposes only.

MITRE ATT&CKADSecurity.org