Glossary
GOLDEN TICKET
defined.
A forged Kerberos TGT created using the KRBTGT account hash — granting an attacker arbitrary domain access until the KRBTGT password is rotated twice.
A–Z
A forged Kerberos TGT created using the KRBTGT account hash — granting an attacker arbitrary domain access until the KRBTGT password is rotated twice.
The endgame of an Active Directory compromise. Detection focuses on TGT lifetimes longer than the policy maximum, and on TGTs for non-existent accounts. Mitigation: scheduled KRBTGT password rotations (twice, six hours apart) plus tier 0 segregation.
See our web application penetration testing, API security testing, network penetration testing, and cloud security audit services for how we test for and defend against this class of issue.
30-minute call with an OSCP-certified engineer. Tailored proposal in 24 hours.