What Is a Golden Ticket?
A Golden Ticket is a Kerberos forgery attack that relies on stealing the secret associated with the KRBTGT account in Active Directory. Once that secret is obtained, an attacker can mint fake TGTs and maintain powerful, often long-lived access across the domain.
A Golden Ticket is a forged Kerberos ticket-granting ticket, or TGT, that an attacker can create after compromising a Windows Active Directory domain. In a successful Golden Ticket attack, the attacker forges trusted authentication artifacts and can impersonate users, including highly privileged ones, to access domain resources as if they were legitimately authenticated.
How a Golden Ticket works
Golden Ticket attacks are usually used after an attacker has already gained significant privileges inside an Active Directory environment.
Why Kerberos matters here
In a Windows domain, Kerberos is the authentication protocol used to verify identities and grant access to services. A key part of that process is the ticket-granting ticket, or TGT.
A legitimate flow looks roughly like this:
- A user authenticates to the domain.
- The domain controller issues a TGT.
- The user presents that TGT to request service tickets for systems and applications.
- Those service tickets allow access to resources without re-entering credentials each time.
The KRBTGT account is central to this process because its secret is used by domain controllers to sign and validate TGTs.
What attackers need
To create a Golden Ticket, an attacker typically needs:
- Administrative or equivalent access in the domain
- Access to a domain controller, directly or indirectly
- The password hash or secret material for the
KRBTGTaccount - Basic domain details, such as the domain name and security identifiers
This is why Golden Ticket activity is considered a high-severity indicator of domain compromise. An attacker does not reach this point by accident.
What the forged ticket does
Once the attacker has the KRBTGT secret, they can create a TGT offline and insert arbitrary details into it, such as:
- A chosen username
- Group memberships
- Privilege level
- Ticket lifetime, depending on conditions and configuration
Because the forged ticket is signed with the right secret, systems that trust the domain may accept it as valid. The attacker can then request service tickets and access resources while appearing to be an authorized user.
In practical terms, that can let them:
- Impersonate domain administrators
- Move laterally across servers and workstations
- Access file shares and applications
- Re-establish access after password changes to other accounts
- Maintain persistence inside the environment
Why Golden Tickets are so serious
The impact is high because the attack abuses a core trust mechanism in the domain.
If an attacker can forge valid Kerberos tickets, traditional actions like resetting one compromised account password may not be enough. The real issue is that the attacker can continue generating trusted authentication artifacts until the underlying KRBTGT exposure is addressed.
That makes Golden Ticket attacks dangerous for three main reasons.
They provide persistence
Even if defenders disable or reset other accounts, the attacker may still be able to create new forged tickets.
They enable privilege abuse
The forged ticket can represent a highly privileged identity, giving the attacker broad access to systems and services.
They signal deep compromise
Golden Ticket capability usually means the attacker has already reached the domain controller or an equivalent privileged position.
When you’ll encounter a Golden Ticket
Most organizations will not casually run into Golden Ticket discussions unless they work heavily with Windows enterprise environments, identity security, or incident response.
During Active Directory compromise investigations
Golden Ticket comes up when investigators suspect an attacker obtained domain-level privileges and may have accessed or dumped KRBTGT material. It is a classic concern in major enterprise intrusions.
In Kerberos-focused detections and threat hunting
Detection teams may look for suspicious Kerberos behavior, unusual ticket use, inconsistent account activity, or authentication artifacts that do not align with normal issuance patterns. While detection is not always straightforward, odd Kerberos activity is often a trigger for deeper review.
In ransomware and lateral movement cases
If a ransomware operator or intrusion set has had extensive access inside a Windows domain, responders may assess whether the attacker established persistence through forged tickets or related Kerberos abuse.
In Active Directory hardening and recovery planning
Golden Ticket is often discussed when teams review domain admin exposure, domain controller protections, credential hygiene, and recovery procedures. It is part of the broader conversation about what happens after identity infrastructure is compromised.
For a related concept in Windows identity environments, see what is active directory.
What response usually involves
If a Golden Ticket is suspected, the issue is bigger than a single host cleanup. Response typically includes:
- Confirming the scope of domain compromise
- Investigating domain controller access
- Reviewing privileged group membership and abuse
- Collecting and analyzing Kerberos-related evidence
- Resetting the
KRBTGTaccount properly, typically more than once and in a controlled sequence - Rotating other privileged credentials
- Revalidating trust in critical systems
Because KRBTGT rotation affects Kerberos behavior across the environment, it is usually handled carefully as part of a structured recovery effort.
If you are mapping the broader response process, read what is incident response.
How organizations reduce the risk
No single control eliminates the risk of Golden Ticket attacks, because they depend on earlier compromise. The goal is to make that deeper compromise harder and easier to detect.
Common defensive measures include:
- Restricting privileged access and domain admin usage
- Hardening domain controllers
- Monitoring for credential dumping and unusual Kerberos activity
- Using tiered administration
- Limiting lateral movement paths
- Rotating privileged credentials appropriately
- Investigating signs of persistence after major intrusions
For administrators handling many privileged accounts, a password manager like 1Password can support stronger credential hygiene, though it does not replace domain hardening or Kerberos monitoring.
Bottom line
A Golden Ticket is a forged Kerberos TGT created after deep Active Directory compromise. If an attacker has the KRBTGT secret, they can impersonate users and maintain trusted access across the domain. In incident response terms, that is not just an authentication problem. It is a sign that the core identity trust of the Windows environment may be compromised.