A golden ticket is a TGT forged using krbtgt’s password hash (KDC secret key). Golden tickets are very long-lasting since krbtgt’s hash doesn’t automatically change by default. Golden tickets could be forged to impersonate any chosen user or service; they can also claim that a regular user is a domain admin without altering group membership.
Golden tickets could be detected
It is possible to detect golden tickets by looking for a ticket used for TGS-REQ that has no matching AS-REQ. To avoid this detection, generate a diamond ticket instead.
To create a golden ticket using Rubeus:
To use this ticket: