H3-2025-0052¶

Golden Ticket

Description¶

NodeZero successfully obtained a golden ticket using the credential of a domain administrator. A golden ticket is a forged Kerberos ticket granting ticket (TGT) that allows an attacker to impersonate any user in the domain, including domain administrators. This is typically achieved by compromising a domain controller and obtaining the secret key for the Kerberos service account (krbtgt). Once an attacker has a golden ticket, they can access any resource in the domain without needing to authenticate again.

Impact¶

A golden ticket can be used to achieve long-term persistence in a compromised environment. It can also be used to escalate privileges by compromising other domains in the same forest, because there is no expectation of a security boundary between domains in a forest.

References¶

• Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory
• Kerberos Golden Tickets are Now More Golden
• MITRE ATT&CK Technique: T1558.001: Steal or Forge Kerberos Tickets: Golden Ticket