| Golden Ticket | krbtgt hash or AES key and domain SID | Forged TGT | ticketer.py, Rubeus | Domain authentication as arbitrary user | Rotate krbtgt twice and purge tickets |
| Diamond Ticket | Legitimate TGT plus krbtgt key | Modified valid-looking TGT | Rubeus | Forged PAC inside a real TGT flow | Rotate krbtgt, investigate source account |
| Golden Certificate | CA private key | Forged certificate | certipy, Certify, Rubeus | PKINIT or Schannel auth as arbitrary principal | Rebuild or rotate CA trust, revoke where possible |
| Golden SAML | ADFS token-signing key | Forged SAML token | ADFSpoof | Federated access as arbitrary user | Rotate ADFS token-signing certs and review relying parties |
| Shadow Credentials | Write access to msDS-KeyCredentialLink | Public key credential link | certipy, pyWhisker | PKINIT as target account | Remove exact key credential blob |
| DCSync rights | WriteDACL or equivalent on domain root | Replication rights ACEs | PowerView, bloodyAD | Dump domain secrets later as low-privileged account | Remove replication ACEs and rotate exposed secrets |
| AdminSDHolder | WriteDACL on AdminSDHolder | Protected ACL template | PowerView | ACE propagates to protected admins | Restore AdminSDHolder ACL and protected object ACLs |
| GPO persistence | Control of GPO or GPO link | GPO files and AD GPO object | pyGPOAbuse, PowerShell | Code or group membership on linked machines | Remove GPO changes, unlink or delete GPO |
| SIDHistory | DA-level or migration-level control | sIDHistory attribute | mimikatz, migration tooling | Hidden authorization through old privileged SID | Remove SIDHistory and audit migration process |
| DSRM | DC local admin or DA on DC | DSRM password and logon behavior | ntdsutil, registry | Local DC admin authentication path | Reset DSRM password and disable network logon |
| Skeleton Key | Code execution as SYSTEM on DC | LSASS memory patch | mimikatz | Master password works for domain users until reboot | Reboot DCs, investigate LSASS compromise |