.png)
Golden Ticket attacks forge Kerberos tickets using the KRBTGT key, providing persistent total Active Directory compromise that survives password resets.
How Golden Ticket Attacks Work
Kerberos is the authentication protocol that powers Active Directory. Every domain controller runs the Key Distribution Center (KDC) service, which issues authentication tickets that users and services present to access resources across the domain. The protocol depends on a single cryptographic secret: the password hash of the KRBTGT account, which signs every ticket-granting ticket (TGT) the KDC issues. If an attacker obtains the KRBTGT hash, they can forge Kerberos tickets — valid for any user, any service, any resource, with any expiration the attacker chooses.
The Attack Sequence
The Golden Ticket attack requires three prerequisites: the KRBTGT NTLM hash, the domain's SID (security identifier), and the domain's fully qualified name. The domain SID and FQDN are not secret and are easily obtained from any authenticated account on the domain. The KRBTGT hash is the hard part — it requires either Domain Admin privileges or access to a domain controller's NTDS.DIT database, both of which are typically achieved only after substantial earlier compromise.
Once the attacker has these three values, they use a tool like Mimikatz or Rubeus to forge a Kerberos TGT for any account name they choose, claiming arbitrary group memberships (Domain Admins, Enterprise Admins, Schema Admins) and any expiration up to ten years. The KDC will accept this forged ticket and issue service tickets that the attacker can use to access any resource on the domain. The forged ticket does not require any communication with the KDC to create — it is generated entirely offline by the attacker.
Persistence Across Password Resets
The most insidious property of a successful Golden Ticket attack is that it persists across password resets of compromised user accounts. Even if every user account in the domain has its password reset, the attacker's forged TGT remains valid because it is signed by the KRBTGT key. Standard incident response procedures that reset compromised account passwords do not remediate Golden Ticket persistence. The only complete remediation is rotating the KRBTGT account password twice (the protocol caches the previous password, so a single rotation does not invalidate forged tickets immediately).
Why Golden Ticket Attacks Are an Executive Risk
Total Domain Compromise
A successful Golden Ticket attack provides total Active Directory compromise. The attacker can authenticate as any user, access any resource, and remain inside the environment indefinitely. The detection challenge is severe — the forged tickets are cryptographically valid by the same mechanism legitimate tickets use, and the attacker can choose timestamps and metadata to mimic normal authentication patterns. Without specific detection engineering focused on the Kerberos protocol layer, Golden Ticket activity blends invisibly into normal AD operations.
The Persistence Problem
The persistence model is unique among AD-related attacks. Most compromise patterns can be remediated by resetting compromised credentials, deactivating compromised accounts, and forcing re-authentication. Golden Ticket persistence requires KRBTGT password rotation, which is operationally disruptive (it forces every active Kerberos ticket in the domain to be reissued) and which most organizations have never performed outside an incident context. Many domains today have KRBTGT passwords that have not been changed since the domain was created — sometimes 10 or 15 years.
The Attack Frequency
Golden Ticket attacks are not theoretical. They are routine post-exploitation actions taken by mature threat actors who have achieved Domain Admin access during ransomware deployment, espionage operations, or extended access campaigns. The Microsoft DART team, Mandiant, and CrowdStrike incident response teams all report Golden Ticket usage in a substantial fraction of incidents involving AD compromise.
How to Defend Against Golden Ticket Attacks
Protect the KRBTGT Hash
The KRBTGT hash is the cryptographic root of trust for the entire AD domain. Protecting it means protecting domain controllers from compromise and ensuring that no privileged account has unnecessary access to NTDS.DIT or to memory of domain controller processes. The standard recommendation is to rotate KRBTGT password every six months in normal operations — a discipline most organizations have not implemented. Microsoft provides a script (New-KrbtgtKeys.ps1) that performs the rotation with appropriate cadence to invalidate cached tickets.
Reduce Domain Admin Account Footprint
The Golden Ticket attack requires the attacker to have already achieved Domain Admin access or domain controller access. Reducing the number of accounts with these privileges, removing standing privilege through privileged access management (PAM) tooling, and implementing just-in-time elevation for administrative work all reduce the population of accounts whose compromise enables Golden Ticket forgery.
Microsoft Defender for Identity
Microsoft Defender for Identity (formerly Azure ATP) includes specific detection logic for Golden Ticket patterns — unusual TGT lifetimes, anomalous Kerberos encryption types, tickets used for unusual resource access, RID values that don't match expected patterns. For organizations running Active Directory, Defender for Identity is the primary cost-effective detection layer for this attack pattern. CrowdStrike Identity Protection, Vectra AI, and other identity-focused detection platforms provide similar capabilities.
Tier 0 Asset Protection
The architectural approach is treating domain controllers and the KRBTGT account as Tier 0 assets — the highest sensitivity tier, with management restricted to dedicated administrative workstations, isolated networks, hardware-key-protected administrative accounts, and continuous monitoring. The Microsoft Tier 0 / Tier 1 / Tier 2 administrative model is the operational pattern for AD-protected environments.
Related Reading
- What is Active Directory Security?
- What are Active Directory Audits?
- What is Kerberoasting? — the related Kerberos-protocol attack pattern
- What is Privileged Access Management (PAM)?
- What is Pass-the-Hash?
Maximum TGT lifetime an attacker can forge with a Golden Ticket — versus the 10 hours a legitimate TGT typically lives.
How Cloudskope Can Help
Cloudskope's Identity and Access Risk Management practice evaluates Active Directory security posture including KRBTGT rotation history, Tier 0 administrative model implementation, and Defender for Identity coverage. For organizations responding to confirmed AD compromise, our incident response engagements include KRBTGT rotation execution alongside the broader containment work.