What is a Golden Ticket Attack?

What is a Golden Ticket Attack?

You face an attacker who exfiltrates your domain's KRBTGT password hash. Shortly after, they forge a Kerberos ticket granting themselves Domain Admin privileges for the next 10 years. Your domain controllers trust this forged ticket completely: they cannot distinguish it from legitimate authentication.

This is a Golden Ticket attack. Adversaries forge Ticket-Granting Tickets (TGTs) using stolen KRBTGT account password hashes, creating cryptographically valid credentials that bypass standard security controls. If a ticket is encrypted with the KRBTGT account's long-term key, your KDC's ticket-granting service assumes this is an authentic request for an authentic user. Your domain controllers cannot distinguish forged tickets from legitimate ones because the cryptographic signatures appear mathematically identical.

CISA continues to document credential theft and Kerberos-based attacks in nation-state campaigns and ransomware operations targeting critical infrastructure, making this technique one of the most persistent post-exploitation attacks facing enterprises.

You face three prerequisites before adversaries can execute Golden Ticket attacks: administrative access to your domain controller or equivalent privileged system, extraction of the KRBTGT account hash from your NTDS.dit database or LSASS process memory, and collection of your domain FQDN, domain SID, and target user information. Once adversaries meet these conditions, they forge tickets outside your network entirely; no domain controller communication required.

How Golden Ticket Relates to Cybersecurity

Golden Ticket attacks represent identity-based attacks that bypass security controls focused on network perimeter defense and endpoint security. You're defending against adversaries who've moved past initial compromise into the Credential Access phase of sophisticated attack chains.

Your standard security controls fail because forged tickets appear cryptographically identical to legitimate authentication events. Signature-based finding can't identify Golden Tickets. Multi-factor authentication doesn't protect against them. Password policies become irrelevant. Organizations must reset the KRBTGT password twice to invalidate existing Golden Tickets.

MITRE ATT&CK formally classifies the technique under three tactics simultaneously: 

• Credential Access (T1558.001),
• Lateral Movement (enabling domain-wide resource access),
• Persistence (tickets remain valid for years). 

CISA advisories confirm that Russian state-sponsored APT actors have targeted Windows Active Directory servers for privilege escalation, and ransomware operations like Akira actively target Kerberos authentication infrastructure using credential extraction tools.

To defend against Golden Ticket attacks, you first need to understand the Kerberos components adversaries exploit.

Impact of a Golden Ticket Attack on an Organization

A successful Golden Ticket attack gives adversaries unrestricted access to every resource in your Active Directory environment. They authenticate as any user, access any system, and maintain this access for months or years without triggering standard security alerts.

Domain-Wide Resource Access

Adversaries with forged TGTs move freely across your environment. They access file servers containing sensitive intellectual property, authenticate to email systems for business communications, query databases holding customer records, and connect to backup infrastructure. Your security controls see legitimate Kerberos authentication, not unauthorized access.

Persistent Long-Term Access

Golden Tickets function as backdoors that survive typical incident response actions. Password resets for compromised accounts have no effect. Disabling user accounts doesn't revoke access. The forged tickets remain valid until you complete the double KRBTGT password reset protocol across all domain controllers, a process many organizations delay due to operational concerns about service disruption.

Data Exfiltration and Regulatory Exposure

Unrestricted domain access enables large-scale data theft. Adversaries can systematically extract customer databases, financial records, employee information, and proprietary business data. For organizations subject to GDPR, HIPAA, or PCI-DSS, a Golden Ticket compromise typically triggers mandatory breach notification requirements and potential regulatory penalties.

Operational and Recovery Costs

Recovery from Golden Ticket attacks requires significant resources. You must reset the KRBTGT password twice across all domain controllers, revoke all existing Kerberos tickets, reset privileged account credentials, conduct forensic analysis to identify initial compromise vectors, and potentially rebuild compromised domain controllers from clean backups. Organizations often discover Golden Ticket usage weeks or months after initial deployment, expanding the scope of forensic investigation.

These impacts make Golden Ticket attacks among the most severe Active Directory compromises. Defending against them requires understanding the attack's core components.

Core Components of a Golden Ticket Attack

Golden Ticket attacks exploit four Kerberos components: the KRBTGT service account, TGTs, PAC structures, and the KDC.

• KRBTGT Account: The KRBTGT account is your domain's Kerberos service account. Every domain controller uses its password hash to encrypt and sign all TGTs. When adversaries extract this hash, they possess the cryptographic key validating every authentication ticket in your domain.
• Ticket-Granting Ticket (TGT): TGTs function as authentication credentials that your KDC issues after successful user login. Users present TGTs to request service tickets for specific resources. Normal TGTs expire after limited validity periods, while forged Golden Tickets can have arbitrary expiration dates.
• Privilege Attribute Certificate (PAC): The PAC contains authorization data embedded within Kerberos tickets, specifying user group memberships, privileges, and access rights. Adversaries forge PAC data to grant themselves Domain Admin privileges regardless of their actual account permissions.
• Key Distribution Center (KDC): Your KDC runs on domain controllers and handles all Kerberos authentication requests, validating tickets by verifying cryptographic signatures using the KRBTGT account hash.

These four components interact in a specific sequence during a Golden Ticket attack.

Techniques Used to Forge a Golden Ticket

Adversaries use specialized tools and established methodologies to extract KRBTGT hashes and forge TGTs. Understanding these techniques helps you identify credential theft attempts before attackers complete the forgery process.

KRBTGT Hash Extraction Methods

Adversaries extract the KRBTGT password hash through two primary vectors. The first targets the NTDS.dit database file on domain controllers, which stores all Active Directory credentials. Tools like ntdsutil, secretsdump, or volume shadow copy enable offline extraction. The second vector targets LSASS process memory on domain controllers, where credential material exists in cleartext or easily reversible formats.

Common Attack Tools

MITRE ATT&CK documents several tools adversaries use for Golden Ticket attacks:

• Mimikatz: The most widely documented tool, capable of both KRBTGT extraction and ticket forgery through its kerberos::golden module
• Rubeus: A C# implementation offering similar capabilities with better evasion of security controls
• Impacket: Python-based toolkit including ticketer.py for TGT generation
• Sliver: Command-and-control framework with built-in Kerberos ticket manipulation

Offline Forgery Process

After extracting the KRBTGT hash, adversaries construct forged tickets on systems outside your network. They specify the domain SID, target username, group memberships (typically Domain Admins), and arbitrary validity periods. The forgery process requires no communication with your domain controllers, making it invisible to network monitoring until the adversary injects the ticket and begins authentication.

Recognizing these techniques shapes your monitoring strategy for the indicators that signal active attacks.

Indicators of a Golden Ticket Attack

Golden Ticket attacks generate identifiable patterns across authentication logs, network traffic, and endpoint telemetry. Your security team can find these indicators by monitoring for anomalies that deviate from normal Kerberos behavior.

Authentication Log Anomalies

Windows Security Event logs capture Kerberos activity that reveals Golden Ticket usage. Event IDs 4768, 4769, and 4770 record TGT requests, service ticket requests, and ticket renewals. Look for tickets with unusually long validity periods, authentication events from unexpected IP addresses, and service requests inconsistent with the user's normal role or access patterns.

Encryption Downgrade Signals

Forged tickets frequently use RC4 encryption because older attack tools default to this algorithm. In environments that have disabled RC4 in favor of AES encryption, any RC4-encrypted Kerberos ticket represents a high-confidence indicator. Configure your SIEM to alert on RC4 usage when your domain policy enforces AES-only authentication.

Credential Access Precursors

Golden Ticket deployment requires prior credential theft. Monitor for the prerequisite attack phases: unusual LSASS process access, NTDS.dit file operations, volume shadow copy creation on domain controllers, and execution of known credential extraction tools. Finding credential access attempts provides earlier warning than monitoring for ticket forgery alone.

Behavioral Baseline Deviations

Users authenticate to predictable sets of resources based on their job functions. Golden Ticket usage often creates authentication patterns that deviate from established baselines. A user account suddenly requesting service tickets for systems outside their normal scope, authenticating from unfamiliar network segments, or accessing sensitive resources at unusual hours warrants immediate investigation.

These indicators inform how defenders structure their monitoring and response capabilities.

How a Golden Ticket Attack Works

Golden Ticket attacks are post-exploitation techniques requiring adversaries to first gain administrative access to domain controllers and extract the KRBTGT account password hash before forging TGTs.

• Phase 1-2: Initial Compromise and KRBTGT Extraction: Adversaries establish initial access through phishing, vulnerability exploitation, or credential theft. CISA Advisory AA23-250a documents APT actors exploiting CVE-2022-47966 in Zoho ManageEngine, performing LSASS memory dumps to collect credentials across entire Active Directory domains. Adversaries deploy tools like Mimikatz, Rubeus, or Sliver to extract the KRBTGT password hash and exfiltrate it to an external system.
• Phase 3: Ticket Forgery: Adversaries construct forged TGTs offline using the stolen KRBTGT hash, domain SID, and target user information. They specify arbitrary privileges in the PAC data structure, typically Domain Admins group membership, set extended validity periods, and encrypt the forged ticket using the stolen KRBTGT hash.
• Phase 4-5: Lateral Movement and Persistent Access: Adversaries inject forged TGTs into memory on compromised systems and request service tickets across your domain. Your KDC validates the forged TGT's cryptographic signature and issues service tickets. Adversaries authenticate to file servers, database systems, email infrastructure, and backup systems using forged credentials. Double KRBTGT password resets are essential because domain controllers maintain both current and previous password hashes for backward compatibility.

Recognizing these attack phases shapes your monitoring and response strategy.

How to Detect a Golden Ticket Attack

Finding Golden Ticket attacks requires monitoring Kerberos authentication patterns and correlating anomalies across your security infrastructure. Signature-based tools cannot identify forged tickets because they are cryptographically valid. Your detection strategy must focus on behavioral analytics and authentication anomalies.

Configure SIEM Monitoring for Kerberos Events

Windows Security Event logs provide the primary data source for Golden Ticket detection. Configure your SIEM to collect and analyze Event IDs 4768, 4769, 4770, and 4771, which record TGT requests, service ticket requests, ticket renewals, and authentication failures. Create correlation rules that flag tickets with validity periods exceeding your domain policy, authentication requests from IP addresses outside normal user patterns, and service ticket requests inconsistent with established user behavior baselines.

Monitor for Encryption Downgrades

Many Golden Ticket attack tools default to RC4 encryption when forging tickets. If your environment enforces AES-only Kerberos authentication, any RC4-encrypted ticket represents a high-confidence indicator of forgery. Configure alerts for RC4 encryption type in Kerberos authentication events and investigate all occurrences immediately.

Track Credential Access Attempts

Golden Ticket attacks require prior extraction of the KRBTGT hash. Monitor domain controllers for the prerequisite credential theft phase:

• Unusual access to LSASS process memory
• NTDS.dit database file operations or extraction attempts
• Volume shadow copy creation targeting system state
• Execution of known credential extraction tools like Mimikatz or secretsdump

Finding credential theft attempts provides earlier warning than waiting for forged ticket usage.

Deploy Behavioral Analytics

Establish authentication baselines for each user account based on normal resource access patterns, working hours, and network locations. Behavioral analytics platforms identify deviations from these baselines, such as a user suddenly authenticating to sensitive systems outside their job function or accessing resources from unfamiliar network segments. These anomalies often indicate Golden Ticket usage even when individual authentication events appear legitimate.

Correlate Endpoint and Identity Telemetry

Effective detection requires correlating data across endpoint, identity, and network sources. Connect LSASS memory access events on domain controllers with subsequent Kerberos authentication anomalies to identify the credential theft-to-ticket-forgery sequence. Identity security platforms can automate this correlation and alert on attack chain progression.

Detection capabilities inform your prevention and response strategies.

How to Prevent and Mitigate Golden Ticket Attacks

Preventing Golden Ticket attacks requires protecting the KRBTGT account, hardening domain controller access, and implementing controls that limit adversary movement even after credential compromise.

Implement Regular KRBTGT Password Rotation

Establish a scheduled KRBTGT password reset protocol. Because Active Directory maintains both current and previous password hashes for backward compatibility, you must reset the KRBTGT password twice to fully invalidate any existing Golden Tickets. Schedule these resets at intervals appropriate for your risk tolerance, with many organizations performing quarterly rotations.

Harden Domain Controller Access

Restrict administrative access to domain controllers through privileged access workstations and jump servers with session monitoring. Implement network segmentation that limits which systems can communicate directly with domain controllers. Deploy endpoint detection and response solutions on domain controllers to monitor for credential extraction tools and suspicious process activity targeting LSASS or NTDS.dit.

Enforce Credential Hygiene

Separate privileged and non-privileged accounts for administrators. Domain Admin credentials should never be used on standard workstations where credential theft is more likely. Implement time-limited administrative access that automatically expires, reducing the window for credential extraction.

Disable Legacy Authentication Protocols

Disable RC4 encryption for Kerberos authentication and enforce AES encryption across your domain. This creates a high-fidelity detection signal when attackers use older tools that default to RC4 for ticket forgery. Review and disable other legacy protocols like NTLM where possible to reduce the overall attack surface for credential theft.

Deploy Deception Technology

Deception-based defenses create fake credential caches and honey accounts that attract adversaries during reconnaissance. When attackers interact with these decoys, you receive immediate alerts about active compromise attempts. This approach identifies credential theft activity before adversaries reach the KRBTGT hash.

Prepare Incident Response Playbooks

Document and rehearse Golden Ticket incident response procedures. Your playbook should include the twice-reset KRBTGT protocol, steps to revoke all existing Kerberos tickets, procedures for resetting privileged account credentials, and forensic analysis guidelines for identifying initial compromise vectors. Fast execution of these procedures limits adversary persistence.

These preventive controls work alongside detection capabilities to reduce Golden Ticket risk across your environment.

Why Understanding Golden Ticket Mechanics Matters

Security teams who understand Golden Ticket attack mechanics can shift their monitoring strategy from signature-based finding to behavioral analytics. Signature-based tools fail because forged tickets are cryptographically valid. Behavioral analytics identify anomalous Kerberos authentication patterns such as unusual TGT requests, service ticket operations from unexpected IP addresses, and tickets with abnormal validity periods.

This understanding also improves incident response readiness. Your playbooks should include the twice-reset protocol for KRBTGT passwords, forensic analysis procedures for LSASS memory dumps and NTDS.dit extraction, and containment strategies for domain-wide access scenarios.

The attack's prerequisites also create finding windows for your security team.

Golden Ticket Attack Limitations

Adversaries must obtain the KRBTGT account password hash before executing a Golden Ticket attack, which creates finding opportunities for defenders.

• Domain Controller Access Requirement: Adversaries must first compromise domain controllers or equivalent privileged systems to extract KRBTGT hashes. This creates a finding window during the credential access phase. Monitor for unusual domain controller access attempts, LSASS process manipulation, and NTDS.dit database access patterns.
• Cryptographic Anomaly Indicators: Forged tickets frequently exhibit identifiable characteristics. RC4 encryption usage in environments that have disabled RC4 represents a high-confidence signal. You can also find tickets with excessively long validity periods, missing PAC data structures, and authentication events from unexpected IP addresses.
• Post-Compromise Classification: Golden Tickets function as post-exploitation techniques within multi-stage attack chains. Adversaries gain no value from ticket forging without first establishing network access, conducting reconnaissance, achieving privilege escalation, and extracting the KRBTGT hash. Your defense-in-depth strategy should focus on preventing the initial compromise sequence rather than exclusively monitoring for Golden Ticket usage after deployment.

Despite these constraints, security teams frequently make errors that weaken their defenses.

Common Mistakes in Defence against Golden Ticket Attacks

Security teams make four common errors when defending against Golden Ticket attacks.

1. Single KRBTGT Password Reset: You reset the KRBTGT password once and assume existing Golden Tickets are invalidated. Active Directory maintains both current and previous password hashes. Single resets leave the previous hash valid, so adversaries' forged tickets continue functioning. You must reset the KRBTGT password twice to fully invalidate forged tickets.
2. Signature-Based Finding Reliance: You deploy signature-based security controls expecting to find Golden Ticket attacks through pattern matching. Your security tools cannot cryptographically distinguish forged tickets from legitimate tickets when encrypted with valid KRBTGT keys. You need behavioral analytics monitoring anomalous Kerberos patterns instead.
3. Insufficient Event Log Retention: You maintain insufficient Windows Security Event log retention and miss the extended investigation timeline required for Golden Ticket forensics. Adversaries may wait between KRBTGT hash extraction and active exploitation. Security teams need extended log retention to correlate initial compromise with subsequent ticket usage.
4. Ignoring Prerequisite Attack Phases: You focus exclusively on identifying Golden Ticket usage while ignoring the credential theft phase that must occur first. CISA Advisory AA23-250a documents APT actors performing LSASS memory dumps before obtaining administrative access. Find the credential extraction phase by monitoring for unusual LSASS process interactions and execution of known credential extraction tools.

Avoiding these mistakes requires implementing evidence-based security controls.

Best Practices of the Protection against Golden Ticket Attack

Defending against Golden Ticket attacks requires implementing security controls centered on KRBTGT account management, Kerberos authentication monitoring, and rapid incident response.

• Reset the KRBTGT Account Password Twice: Establish regular KRBTGT password reset schedules following the twice-reset protocol. Active Directory maintains both current and previous KRBTGT password hashes for backward compatibility, so a single reset leaves existing Golden Tickets valid. Only the second reset fully invalidates all forged tickets.
• Configure SIEM for Kerberos Monitoring: Configure Security Information and Event Management (SIEM) systems to find Windows Event IDs 4768, 4769, 4770, and 4771 for anomalous patterns. Your monitoring should flag:

1. RC4 encryption usage in AES-only environments
2. Tickets with abnormal validity periods
3. Authentication events from unexpected IP addresses
4. Service requests inconsistent with user role baselines

Correlate anomalous file access with unusual Kerberos service ticket requests. Identity security platforms like Singularity Identity detect credential theft and privilege escalation attempts in real time, alerting when adversaries target Active Directory infrastructure.

• Protect Domain Controller Access: Implement privileged access management controls restricting domain controller administrative access to dedicated jump boxes with session monitoring. Deploy endpoint detection and response (EDR) solutions on domain controllers to monitor for credential dumping tools.
• Deploy Behavioral Analytics: Deploy analytics that identify attempts to forge or replay Kerberos tickets by monitoring for anomalous authentication sequences. Singularity XDR automates this correlation, connecting authentication anomalies with endpoint events to reconstruct Golden Ticket attack chains.
• Maintain Extended Log Retention: Extend Windows Security Event log retention to enable forensic investigation of complete attack chains. Centralize Kerberos authentication logs in your SIEM platform with correlation rules for authentication anomalies.

Implementing these controls manually requires significant resources. Security platforms can automate much of this work.

Stop Golden Ticket Attacks with SentinelOne

SentinelOne's Singularity™ Platform provides the behavioral analytics and autonomous correlation needed to identify Golden Ticket attacks across your environment.

Singularity™ XDR demonstrated 88% fewer alerts than the median across all vendors in the 2024 MITRE ATT&CK Evaluations while achieving 100% detection accuracy. This enables your security team to focus on real threats rather than investigating false positives. The platform's Storyline technology reconstructs attack chains with machine-speed response, connecting LSASS memory access events with subsequent Kerberos authentication anomalies to identify the credential theft-to-ticket-forging sequence.

Singularity™ Identity defends across hybrid environments: both Active Directory and cloud idenity providers - including Entra ID, Okta, Ping, SecureAuth, and Duo. The platform detects credential theft attempts, blocks lateral movement, and uses deception technology to misdirect attackers away from AD infrastructure while generating telemetry for investigation.

Purple AI accelerates threat hunting with natural language queries and AI-powered analysis. When investigating potential Golden Ticket activity, Purple AI correlates authentication indicators across multiple events, reducing false positives while accelerating investigations.

SentinelOne Wayfinder Managed Detection and Response is a 24/7/365 managed service with in-house expert analysts who add human context to automated detections. Their analysts can do forensic deep dives and carry out effective incident response. MDR Elite gives you integrated incident readiness and prepares you for high-pressure moments. You get access to IRR retainers and on-demand DFIR experts.

SentinelOne Singularity™ Network Discovery can do network discovery and identify rogue devices on networks. It identifies, isolates, and contains threats after discovery and prevents lateral movement. Network Discovery can discover unmanaged devices and isolate them with one-click. It also monitors how unknown devices communicate with managed hosts. You can build policies and toggle between them, for even subnets.

SentinelOne Cloud Workload Security protects cloud instances (AWS, Azure, Google Cloud) and Kubernetes containers - critical for defending against Golden Ticket attacks that may extend to cloud environments via domain-joined hybrid infrastructures.

SentinelOne's behavioral AI engines (static and runtime) can stop credential theft and detect abnormal authentication patterns before any ticket forgery occurs, thus stopping attacks early in the kill chain.

Request a SentinelOne demo to see how these capabilities stop Golden Ticket attacks in your environment.