What is a Golden Ticket Attack?

During a golden ticket attack, the attacker takes complete control over a specific domain. By having unrestricted access over a domain, the attacker has access to all devices associated with that domain. As such, they have control over the files, folders, and other documents.

How Does a Golden Ticket Attack Take Place?

The golden ticket attacks are a way to forge Kerberos by compromising the KRBTGT account, which is the Kerberos service account responsible for generating and validating tickets within Active Directory.

To accomplish a golden ticket attack, you need privileges to Active Directory. The attacker takes complete control over the domain’s Key Distribution Service account (KRBTGT account) by hijacking its NTLM hash.

By doing so, this enables the attacker to create Ticket Granting Tickets (TGTs) for all accounts associated within the Active Directory domain. With TGTs in place, the attacker can now request access to any document/device on the domain from the Ticket Granting Service (TGS).

Now that the attacker is monitoring and issuing Ticket Granting Tickets (TGTs), they now have the golden ticket to access anything on that particular domain.