SOC Analyst Perspective - Golden Ticket Attack

Jul 17, 2025

What is a Golden Ticket Attack?

Keeping it simple: A Golden Ticket Attack is when an attacker compromises the krbtgt account, " the ticket master" in Active Directory. Tickets refer to TGT (Ticket-Granting Ticket) and TGS (Ticket Granting Service ticket). As part of the Kerberos protocol, tickets are signed using the krbtgt's key. The krbtgt key is derived from its NTLM hash. Once this account is compromised, an attacker can now sign a ticket (or for better words, forge) using the krbtgt key and impersonate any account in the environment, so think of higher privilege accounts.

Let's walk through this.

How to Perform Golden Ticket Attack

Key words: krbtgt , tickets, hashes

Here is where I am at mentally:

- Who can communicate with the krbtgt account?

- Where can I find the hash of this krbtgt account?

A domain user can request a TGT which is encrypted and signed the krbtgt's key (again, derived from the krbtgt's hash).

The process of encrypting and signing TGT occurs at the KDC / Key Distribution Center. The hash of krbtgt account (used as part of process) is only known to the KDC.

Small interlude: I won't get too deep into how the TGT gets created as I still need to do more research but understand the process of creating a TGT is different from creating a TGS making it a very inconvenient way of trying to grab the hash of the krbtgt account from a TGT. The hash of the krbtgt account is not exposed in the same way as a service account that would allow for easier cracking. That's about all I got as in understanding.

So anyway, the KDC of a domain is located at the domain controller.

So as a result, the only way to get to this hash is to get to the source of where the process occurs - the domain controller.

Who can communicate with the domain controller?

Domain administrators.

Where does the hash of the krbtgt account live?

After some Googling, we found the krbtgt's password is located in ntds.dit file or domain controller's memory.

Let's just focus on this ntds.dit file.

ntds.dit contains information about the Active Directory database. Attempt to access these credentials is listed as one of the attacks in the MITRE ATT&CK framework, I highly suggest going ahead and bookmarking. See [OS Credential Dumping: NTDS](https://attack.mitre.org/techniques/T1003/003/).

So we have a plan finally:

Who I need to Compromise + Where I Need to Go

This blog post is getting a little long so I'll go ahead and wrap it up.

Lesson of the Day as a SOC Analyst, you need to know the who, what, why and where behind activity before you start diving into an alert.

‹ SOC Analyst Perspective - AS-REP ROASTING

This SOCs, But You Should Know: OSI Model (Part 1) ›

Create a free website with Framer, the website builder loved by startups, designers and agencies.