title: Golden Ticket (T1558.001)
id: df00tech-t1558-001
status: experimental
description: "Adversaries who have obtained the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), known as golden tickets. Golden tickets enable adversaries to generate authentication material for any account in Active Directory with arbitrary group memberships, privilege levels, and ticket lifetimes — including non-existent accounts. The KRBTGT hash is typically obtained via OS Credential Dumping (DCSync or direct LSASS dump) against a domain controller. Tools including Mimikatz (kerberos::golden), Rubeus (golden /rc4: or /aes256:), Impacket ticketer.py, and the Empire/Sliver frameworks can generate forged TGTs locally without contacting the KDC. The forged ticket is then injected into memory (Pass-the-Ticket) and used to request Kerberos Service Tickets (TGS) for any resource in the domain. Golden tickets are highly persistent: they remain valid until the KRBTGT password is reset twice, and the attacker can regenerate them at will as long as the KRBTGT hash is known."
references:
  - https://attack.mitre.org/techniques/T1558/001/
  - https://df00tech.com/detections/T1558.001
author: df00tech
date: 2026/04/13
tags:
  - attack.t1558.001
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legacy applications, services, and printers that do not support AES Kerberos and legitimately request RC4-encrypted TGS tickets (Event 4769 TicketEncryptionType 0x17) — common with older SQL Server service accounts, legacy IIS application pools, and SMB shares on Windows Server 2008"
  - Authorized penetration testing or red team exercises using Mimikatz or Rubeus under a signed rules of engagement — verify against change management records and pentest scheduling windows
  - "Security operations tooling that monitors Kerberos ticket state using Mimikatz kerberos::list for read-only inspection without ticket forgery"
  - IT provisioning scripts or identity governance tools that interact with Kerberos ticket handling on admin workstations
level: critical