> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes-2-0/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/golden-tickets.md). # Golden Tickets The KRBTGT Account, every Active Directory Domain Controller is responsible for handling Kerberos Ticket requests, which are used to authenticate users and grant them access to computers and applications. The KRBTGT account is used to encrypt and sign all Kerberos tickets within a domain, and a domain controllers use the account password to decrypt Kerberos tickets for validation. This account password never changes, and the account name is the same in every domain, so it's a well-known target for attackers. **What's the risk?** Once an attacker compromises the KRBTGT account they can create forged Kerberos tickets (TGTs) which can be used to request TGS tickets for any service on any computer in the domain. But remember the hardest part of this attack is you need Administrator Access to the DC (Domain Controller), these attacks are hard to detect because they are valid TGTs. For Demo purposes we have the KRBTGT Hash and a Shell with the user Mgarcia, if we enumerate the DC Directory we don't have access. ![](/files/-MWuKTt9ie5HdsurK_4R) Now let us use the binary form of mimikatz as there is no way that I am familiar with that this technique will work straight from Covenant I move to a local CMD (you can also use RDP if available and probably PSRemoting), we will first need the SID of the User and the KRBTGT hash ![](/files/-MWuKUhlTWl0s5O5k5XW) We will copy everything but the last 4 digits as they identify the user and we want to replace that with a 500 SID user. In our previous attack DCSync we grabbed the KRBTGT hash so we can skip this, as the user had DCSync permissions it was easy to grab without compromising the DC. And now we will use the command for mimikatz to grab and pass the ticket onto our current session. ![](/files/-MWuKVfYUntEbvU6LCRe) Once we execute the command successfully, we can enumerate the C Drive from the DC. ![](/files/-MWuKWbciGUC_Cf45WEt) As you can see now with the KRBTGT Account's NTLM Hash we can forge ticket to any user or create our own and give them the highest privileges on the Domain, this is a great method for persistence --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter: ``` GET https://dmcxblue.gitbook.io/red-team-notes-2-0/active-directory/active-directory-attacks/golden-tickets.md?ask=&goal= ``` `ask` is the immediate question: it should be specific, self-contained, and written in natural language. `goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.