Kerberos Golden Tickets: What They Are, How They Work, and How to Detect Them

Kerberos is a central authentication protocol in Active Directory. When a user logs in, the domain issues a Ticket Granting Ticket, often called a TGT. That ticket is later used to request access to services such as file shares, databases, and internal applications.

A Golden Ticket attack abuses this process. Instead of requesting a legitimate TGT from the domain, an attacker forges one. If the attacker has compromised the Kerberos signing material associated with the KRBTGT account, they may be able to create tickets that domain services accept as valid.

This is why Kerberos Golden Tickets are considered a serious post-compromise technique. They normally require deep access first, such as compromise of a domain controller or equivalent credential material. Once that level of access is reached, the attacker may be able to impersonate privileged users and maintain persistence across the domain.

Attack Flow at a High Level

A Golden Ticket scenario usually follows this pattern:

1. The attacker compromises a highly privileged system.

2. They obtain sensitive Kerberos-related secrets from the domain.

3. They create a forged TGT for a chosen user identity.

4. They load that forged ticket into a logon session.

5. They use it to request service tickets and access domain resources.

I’m intentionally keeping this section non-operational. In a real environment, these steps can lead to domain-wide compromise.

Assistance for Investigation

Check Kerberos tickets currently loaded in your session:

klist

Clear Kerberos tickets from the current session:

klist purge

Review recent Kerberos TGT requests on a domain controller:

Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4768 } -MaxEvents 100

Review Kerberos service ticket requests:

Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4769 } -MaxEvents 100

Review failed Kerberos pre-authentication events:

Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4771 } -MaxEvents 100

Look for successful logons that may involve privileged accounts:

Get-WinEvent -FilterHashtable @{ LogName = 'Security' Id = 4624 } -MaxEvents 100

Object TimeCreated, Id, ProviderName, Message

Check domain admin membership:

Get-ADGroupMember "Domain Admins"

Check the KRBTGT account metadata:

Get-ADUser krbtgt -Properties PasswordLastSet, Enabled, LastLogonDate

Detection Ideas

Golden Ticket activity can be difficult to detect because forged tickets may appear valid. Still, defenders can look for warning signs such as unusual ticket lifetimes, privileged activity from unexpected hosts, mismatched user behavior, strange service ticket requests, and authentication patterns that do not match normal business activity.

Important Windows events include:

4768 - Kerberos authentication ticket requested

4769 - Kerberos service ticket requested

4770 - Kerberos service ticket renewed

4771 - Kerberos pre-authentication failed

4624 - Successful logon

4672 - Special privileges assigned to new logon

Remediation

If Golden Ticket activity is suspected, treat it as a major Active Directory compromise. Investigate domain controllers, review privileged account activity, isolate suspicious systems, and rotate exposed credentials.

A common remediation step is rotating the KRBTGT password twice, with proper timing between resets. This should be planned carefully because doing it incorrectly can disrupt authentication across the domain.

Key Takeaway

Golden Tickets show why Active Directory identity infrastructure must be protected like critical infrastructure. Once Kerberos trust material is compromised, an attacker may be able to create their own authentication tokens. Strong domain controller protection, privileged access controls, monitoring, and tested incident response procedures are essential.