Golden Ticket Attack: What It Is and How to Defend

What is a golden ticket attack?

A golden ticket attack is a post-exploitation technique in which a threat actor gains near-unrestricted access to an organization’s domain by forging authentication tickets within Microsoft Active Directory (AD). This attack exploits weaknesses in the Kerberos authentication protocol, allowing an adversary to maintain persistent access and move laterally within the network without normal authentication checks.

As organizations continue shifting to cloud and hybrid environments, the attack surface has expanded beyond traditional perimeters. Identity-based attacks have increased, making it easier for adversaries to compromise privileged credentials and abuse Kerberos authentication. A golden ticket attack allows a threat actor to bypass normal security controls, evade detection, and maintain long-term access to critical systems.

The golden ticket attack maps to the MITRE ATT&CK framework under Persistence and Credential Access:

• T1558.001 – Steal or Forge Kerberos Tickets (Credential Access)
• T1098 – Account Manipulation (Persistence)

This attack enables long-term access by leveraging forged Kerberos Ticket Granting Tickets (KRBTGTs), effectively allowing an attacker to authenticate as any user, including domain administrators.

The history of golden ticket attacks

Golden ticket attacks are closely linked to Mimikatz, an open-source tool developed in 2011 to highlight security flaws in Windows authentication mechanisms. Mimikatz allows attackers to extract credentials, including password hashes, Kerberos tickets, and NTLM hashes, which are then used in pass-the-hash and ticket forging attacks.

The term "golden ticket" comes from its ability to provide near-unrestricted access to an organization’s Active Directory environment, similar to the fictional golden ticket in Charlie and the Chocolate Factory—except here, the prize is total control over an organization’s IT infrastructure.

How golden ticket attacks work

Kerberos authentication relies on a Key Distribution Center (KDC), which issues Ticket Granting Tickets (TGTs) for user authentication. Attackers abuse this process by forging valid Kerberos tickets.

Legitimate Kerberos authentication process

• A user logs in, and the Authentication Server (AS) issues a TGT if the credentials are valid.
• The TGT is presented to the Ticket Granting Server (TGS) for service access.
• The TGS verifies the TGT and grants the user access to specific resources.

Golden ticket attack execution

To execute a golden ticket attack, an attacker must already have domain administrator privileges to extract the KRBTGT account hash. The attack follows these steps:

1. Obtain domain information: The attacker gathers key details, including:

• Fully qualified domain name (FQDN)
• Domain security identifier (SID)
• KRBTGT account hash (critical for ticket forging)

2. Steal the KRBTGT hash: Once an attacker gains domain controller (DC) access, they extract the KRBTGT NTLM hash using tools like Mimikatz. This hash allows them to sign their own Kerberos tickets, bypassing authentication mechanisms.

3. Forge a Kerberos ticket: With the KRBTGT hash, attackers create a TGT with arbitrary permissions, effectively granting themselves domain admin access.

4. Persistent access: The forged TGT can be set to remain valid for years, enabling the attacker to

• Access any system or service within the domain
• Create or modify user accounts
• Evade detection by appearing as a legitimate user

Unlike Pass-the-Hash or Pass-the-Ticket attacks, a golden ticket attack does not require re-authentication, making it significantly harder to detect.

How to detect golden ticket attacks

Detecting a golden ticket attack is challenging because the forged Kerberos tickets appear valid. However, security teams can look for anomalies in Kerberos authentication activity, including:

• TGTs with unusually long lifetimes: Attackers may set extended ticket lifespans to maintain access.
• TGTs issued for non-existent users: Forged tickets may contain usernames or SIDs that do not exist.
• Unusual Kerberos activity from privileged accounts: Especially if these accounts were not recently used.
• TGT reuse across multiple devices: Indicates potential ticket forgery or reuse by an attacker.

Modification of the KRBTGT account: If KRBTGT is changed without explanation, it may indicate an attacker resetting their access.

How XDR helps detect golden ticket attacks

While Extended Detection and Response (XDR) solutions provide cross-domain visibility, detecting golden ticket attacks requires specialized identity protection capabilities. XDR enhances detection by correlating Kerberos authentication events across systems, identifying abnormal authentication patterns linked to forged tickets, and leveraging behavioral analytics to detect lateral movement and privilege escalation. However, standalone XDR may not be sufficient to detect forged Kerberos tickets. Integrating Active Directory security monitoring with XDR and identity protection solutions significantly improves detection capabilities.

Tips to prevent golden ticket attacks

Since golden ticket attacks rely on post-exploitation access, organizations must focus on both preventing initial compromise and securing Active Directory (AD) to mitigate risk.

To secure Active Directory, organizations should implement Zero Trust principles, ensuring users are continuously verified and authenticated. Enforcing the Principle of Least Privilege (POLP) limits user access to only what is necessary, reducing the attack surface. Additionally, monitoring KRBTGT account activity for anomalies and regularly rotating the KRBTGT password can prevent attackers from reusing stolen hashes.

Preventing credential theft is equally critical. Organizations should train employees to recognize phishing attacks, as social engineering is a common entry point for adversaries. Implementing strong IT hygiene practices, such as regular password rotations and strict authentication policies, further strengthens security. Enforcing multi-factor authentication (MFA) for privileged accounts adds another layer of protection, making it more difficult for attackers to leverage stolen credentials.

Finally, proactive threat hunting plays a crucial role in detecting hidden attacks. Security teams should monitor for abnormal Kerberos ticket activity, use behavioral analytics to identify identity-based anomalies, and deploy real-time identity protection tools. Solutions like CrowdStrike Falcon Adversary OverWatch provide continuous monitoring and response, helping organizations disrupt golden ticket attacks before they escalate.

Securing the attack surface with CrowdStrike

A golden ticket attack is one of the most powerful techniques attackers use to maintain persistent access to an enterprise environment. Because it exploits a fundamental weakness in Kerberos authentication, prevention requires a multi-layered security approach, combining identity protection, strong AD security, behavioral detection, and proactive threat hunting.

Unify detection and response across your security stack with CrowdStrike Falcon® XDR™ and Falcon® Identity Protection to detect and mitigate advanced identity-based threats.