Golden Ticket

How to detect and mitigate Golden Ticket attacks

By obtaining the password hash for the KRBTGT account, the most powerful service account in Active Directory (AD), an attacker is able to get unlimited and virtually undetectable access to any system connected to AD.

Golden Tickets are very difficult to detect. The parameters the attacker can use to generate a Golden Ticket do not have to be real. The User account name and the Relative ID (RID) of the account can be real or fake, depending on what the attacker is looking to accomplish. When configuring the groups the impersonated account will belong to, Mimikatz includes the Domain Admin group by default. As a result, the ticket will be created with maximum privileges.

    Request A Free Trial

    Stealthbits’ Golden Ticket Solution

    Stealthbits’ products provide a multitude of ways to detect and mitigate the Golden Ticket attack.

    Detect Golden Ticket Attack

    Detection of Golden Ticket is possible by inspecting Kerberos ticket requests where the TGT lifespan values are above the allowed ranges.


    Golden Ticket Forged Lifetime Detection


    Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Monitor for Kerberos tickets issued with values for the Maximum Lifetime for User Ticket and Maximum Lifetime for User Ticket Renewal values are above the values allowed in the domain policy. This will detect the majority of golden tickets, but if any users create golden tickets that are within the allowed lifespan those will not be detected. However, that largely defeats the purpose of the golden ticket to have non-expiring administrative access to the domain.



    Mitigate Golden Ticket Attack

    Creating a golden ticket requires information such as the KRBTGT account hash, which is only accessible to privileged accounts. The best mitigations to golden tickets involve restricting administrative rights to Active Directory as much as possible.


    Reduce Domain Administrative Rights


    Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members.



    Secure Active Directory Permissions


    Review the following Active Directory permission applied at the domain level:

    • Replicating Directory Changes
    • Replicating Directory Changes All

    These rights provide attackers the ability to obtain the krbtgt hash using the DCSync technique. Remove any unnecessary permissions.


    Seeing is believing.


    © 2022 Stealthbits Technologies, Inc.