10 years
Maximum ticket lifetime a Golden Ticket can be set to: Mimikatz defaults to 10 years, making expired-ticket detection one of the most reliable Golden Ticket signals
krbtgt
Account whose NTLM hash is used to sign Golden Tickets: obtaining this hash via DCSync or LSASS dumping from a DC enables unlimited domain persistence
4769
Event ID for Kerberos service ticket requests: Golden Ticket use generates characteristic patterns: high-value service tickets without a corresponding TGT request (4768)
Double rotation
Required krbtgt password rotation procedure: two rotations with 10-hour gap (max ticket lifetime) to invalidate all existing Golden Tickets

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

The krbtgt account is the cryptographic root of Kerberos trust in Active Directory: every TGT in the domain is signed with its NTLM hash. An attacker who obtains the krbtgt hash (via DCSync, or LSASS dumping directly on a domain controller) can forge TGTs offline that are indistinguishable from legitimate ones to any domain controller.

Golden Tickets are often used for long-term persistence: the attacker uses them weeks or months after initial compromise, after the initial access vector has been closed. The krbtgt hash is also rarely rotated in most organizations, meaning a Golden Ticket signed a year ago may still be valid today.

What Golden Ticket Use Looks Like

Creating a Golden Ticket with Mimikatz:

# On any domain machine: does NOT require domain admin, just the krbtgt hash
mimikatz# kerberos::purge  # Clear existing tickets
mimikatz# kerberos::golden \
  /domain:corp.local \
  /sid:S-1-5-21-1234567890-1234567890-1234567890 \
  /krbtgt:9b3e7d8a5c2f4e1b6d0a8c3f7e2b4d9a \
  /user:FakeAdminUser \
  /groups:512,518,519,520 \
  /ticket:golden.kirbi \
  /endin:87600 \
  /renewmax:87600
  # /endin:87600 = 10 years in minutes
mimikatz# kerberos::ptt golden.kirbi  # Pass the ticket into memory

# Now any Kerberos-authenticated resource is accessible as FakeAdminUser
dir \\dc01\c$  # Works: domain controller accepted the forged ticket

Key anomalies in a forged ticket:

  • User may not exist in AD (or was deleted)
  • Ticket lifetime: 87600 minutes (10 years) vs domain default of 10 hours
  • Ticket is presented without a corresponding Event ID 4768 (TGT request) on any DC: the ticket was created offline, not issued by a DC
  • The From field in Event 4769 shows the attacker's machine, but no 4768 with a matching logon ID exists on any DC
  • Domain SID in the ticket matches but the user RID may be unusual (non-existent, special values)

Detection: Event Log Anomalies

Anomaly 1: Service ticket (4769) without TGT request (4768)

Legitimate Kerberos flow: a client requests a TGT (Event 4768 on DC), then uses the TGT to request service tickets (Event 4769). With a Golden Ticket, the TGT exists only in memory: no 4768 was generated. When the attacker uses the Golden Ticket to request a service ticket, only 4769 appears with no corresponding 4768.

// Sentinel KQL: 4769 without preceding 4768 for same account and logon session
let serviceTickets = SecurityEvent
| where EventID == 4769
| where TicketEncryptionType != "0x17"  // Filter out Kerberoasting
| project ST_Time = TimeGenerated, ST_Account = TargetUserName,
    ST_IP = IpAddress, ST_LogonGuid = trim_end("}",trim_start("{",tostring(LogonGuid))),
    ServiceName;
let tgtRequests = SecurityEvent
| where EventID == 4768
| project TGT_Time = TimeGenerated, TGT_Account = TargetUserName,
    TGT_IP = IpAddress, TGT_LogonGuid = trim_end("}",trim_start("{",tostring(TicketOptions)));
serviceTickets
| join kind=leftanti tgtRequests on $left.ST_Account == $right.TGT_Account
| where ST_Time > ago(1h)  // No TGT for this account in the last hour
| where ST_Account !endswith "$"  // Exclude machine accounts
| sort by ST_Time desc

Anomaly 2: Ticket lifetime exceeding domain Kerberos policy

Domain Kerberos policy (Default Domain Policy) sets maximum ticket lifetimes: typically 10 hours for TGTs and 600 minutes for service tickets. Golden Tickets often exceed these:

# Check your domain's Kerberos policy
Get-ADDefaultDomainPasswordPolicy | Select-Object MaxTicketAge, MaxServiceAge, MaxRenewAge
# MaxTicketAge: 10 hours (default)
# MaxServiceAge: 600 minutes (default)
# MaxRenewAge: 7 days (default)

# Microsoft Defender for Identity raises an alert automatically for:
# - TGT lifetime > domain MaxTicketAge
# - TGT presented with account not in AD
# - Renewal requests for tickets older than MaxRenewAge

Anomaly 3: Access using accounts that do not exist

One evasion technique is using a real username but with modified group memberships in the ticket. Another is using a deleted account name. Both generate detectable patterns:

// Detect authentication from accounts not currently in AD
SecurityEvent
| where EventID == 4769
| where TimeGenerated > ago(24h)
| where TargetUserName !endswith "$"
// Cross-reference against HR/AD user list from UEBA or Azure AD export
// Any account in events but not in the current user list is suspicious
| join kind=leftanti (
    IdentityInfo | where TimeGenerated > ago(1d)
    | summarize by AccountUPN
) on $left.TargetUserName == $right.AccountUPN
| sort by TimeGenerated desc

Microsoft Defender for Identity (MDI): built-in Golden Ticket detection:

If you have MDI deployed, it automatically detects:

  • Kerberos Golden Ticket activity
  • Overpass-the-Hash
  • Skeleton Key malware
  • Abnormal resource access based on machine learning

MDI alert name: "Kerberos Golden Ticket activity": triggers when anomalous Kerberos ticket patterns match known attack signatures.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Mitigation: Double-Rotating the krbtgt Password

Any existing Golden Ticket becomes invalid after the krbtgt password is rotated: because the old hash can no longer sign new service ticket requests. However, existing TGTs in memory remain valid until they expire (up to 10 years for attacker-created ones), so the rotation must happen twice with a gap equal to the maximum ticket lifetime to invalidate everything.

Double-rotation procedure:

# Use Microsoft's New-KrbtgtKeys.ps1 script
# Download: https://github.com/microsoft/New-KrbtgtKeys.ps1

# Step 1: Mode 1: simulation (shows what would happen)
.\New-KrbtgtKeys.ps1 -Mode 1

# Step 2: Mode 2: reset on a single DC (for testing)
.\New-KrbtgtKeys.ps1 -Mode 2

# WAIT: the maximum ticket lifetime (default: 10 hours)
# This ensures all legitimate TGTs issued with the first hash expire
# During this window, users may be prompted to re-authenticate

# Step 3: Mode 2 again: second rotation
.\New-KrbtgtKeys.ps1 -Mode 2
# After the second rotation, all Golden Tickets signed with the original hash are invalid

Impact of krbtgt rotation:

  • Users with cached Kerberos tickets will be prompted to re-authenticate
  • Services using Kerberos authentication may briefly fail until their tickets renew
  • Plan the rotation for low-activity windows and communicate to the helpdesk
  • Some services (especially those with long ticket lifetimes configured) may need manual restart

Preventing krbtgt compromise:

# Limit who can access domain controllers (primary krbtgt compromise vector)
# Only Domain Admins should log into DCs: enforce via GPO
# Computer Configuration > Windows Settings > Security Settings >
# User Rights Assignment > Allow log on locally: Domain Admins only
# User Rights Assignment > Allow log on through Remote Desktop Services: Domain Admins only

# Monitor krbtgt password last-set date: should be rotated at least annually
(Get-ADUser krbtgt -Properties PasswordLastSet).PasswordLastSet
# If > 365 days: schedule a double-rotation during maintenance

The bottom line

Golden Ticket detection focuses on Kerberos ticket anomalies: Event 4769 service ticket requests without a corresponding 4768 TGT request, ticket lifetimes exceeding domain policy (Mimikatz defaults to 10 years), and authentication using accounts not present in AD. Microsoft Defender for Identity provides built-in Golden Ticket detection. Prevention requires protecting the krbtgt hash by restricting DC access to Domain Admins only; response requires double-rotating krbtgt with a 10-hour gap between rotations to invalidate all existing forged tickets.

Frequently asked questions

How do you detect a Golden Ticket attack?

Monitor for Kerberos anomalies: Event ID 4769 (service ticket request) without a preceding Event 4768 (TGT request) for the same account, Kerberos tickets with lifetimes exceeding your domain's MaxTicketAge policy (default 10 hours), and authentication attempts using accounts that do not exist in Active Directory. Microsoft Defender for Identity automatically detects Golden Ticket patterns using behavioral analysis.

How do you invalidate a Golden Ticket?

Rotate the krbtgt account password twice, with a gap between rotations equal to the maximum Kerberos ticket lifetime (default 10 hours). The first rotation makes the old hash invalid for signing new service tickets; the second rotation expires any TGTs issued with the first rotated hash. Use Microsoft's New-KrbtgtKeys.ps1 script for the procedure. Expect brief user re-authentication prompts and potential service disruptions during the window.

What is the difference between a Golden Ticket and a Silver Ticket attack?

A Golden Ticket forges a Kerberos TGT (Ticket-Granting Ticket) using the krbtgt account hash, granting the ability to request service tickets for any service in the domain. It requires the krbtgt hash (obtained via DCSync or NTDS.dit extraction) and provides domain-wide access. A Silver Ticket forges a service ticket (TGS) for a specific service using that service account's hash — bypassing the domain controller entirely. Silver Tickets are harder to detect because they never touch a domain controller (no TGT issuance logged at Event ID 4768), but they are limited to the specific service whose account hash was used.

How do you detect a Golden Ticket attack in event logs?

Golden Ticket detection is difficult because forged TGTs appear legitimate. Detection signals: Event ID 4769 (service ticket request) with no preceding Event ID 4768 (TGT request) for the same account from the same IP — a Golden Ticket uses a pre-forged TGT so no TGT request is needed; Event ID 4769 with ticket encryption type 0x17 (RC4-HMAC) where modern environments should use AES (0x12); mismatched domain names in Kerberos tickets; and ticket lifetimes exceeding the domain maximum (attackers often set 10-year ticket lifetimes). Microsoft Advanced Threat Analytics (ATA) and Microsoft Defender for Identity have specific detections for Golden Ticket usage patterns.

How do you prevent Golden Ticket attacks?

Golden Ticket prevention requires protecting the krbtgt hash. Measures: deploy Microsoft Defender for Identity (detects DCSync and NTDS.dit extraction attempts in real time); restrict domain controller access so only authorized administrators can reach DCs on the network (tier 0 isolation); audit all accounts with 'Replicating Directory Changes All' permission quarterly (DCSync-capable accounts); enable Defender for Identity protections on all domain controllers; and rotate the krbtgt password proactively once per year (not just after an incident). If DCSync activity is detected in your environment, assume the krbtgt hash is compromised and begin the two-rotation remediation immediately.

How do I verify that a krbtgt double-rotation actually invalidated existing Golden Tickets in my environment?

After completing both krbtgt password rotations separated by at least 10 hours, confirm invalidation by checking three things. First, verify the krbtgt PasswordLastSet attribute was updated twice: run 'Get-ADUser krbtgt -Properties PasswordLastSet, msDS-KeyVersionNumber' -- the msDS-KeyVersionNumber should have incremented twice from its pre-rotation value. Second, monitor for Kerberos errors 0x25 (KRB_AP_ERR_SKEW) and 0x18 (KDC_ERR_PREAUTH_FAILED) in the Security event log on domain controllers; these indicate that cached TGTs signed with the old key are being rejected. Third, if Defender for Identity is deployed, check the Golden Ticket alert status -- any previously active Golden Ticket sessions using the old krbtgt key will fail to renew after expiration and will generate authentication errors. After the second rotation, run 'klist purge' on administrative workstations and verify that re-authentication successfully issues new TGTs signed with the current krbtgt key version. A residual Golden Ticket from before the rotation will fail when it attempts to request a new service ticket because the KDC will not accept a TGT encrypted with a key that is now two versions old.

Sources & references

  1. MITRE ATT&CK T1558.001: Golden Ticket
  2. Microsoft: Detecting and Mitigating Golden Ticket Attacks
  3. Sean Metcalf: Kerberos Golden Ticket Detection

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.