A golden ticket attack is where the KRBTGT account’s password hash is used to forge a TGT ticket for any account.
A golden ticket is easily detectable if sufficient controls are in place because the will be no preauth (AS-REQ/AS-REP) logs from when that TGT was granted.
Related
Related Notes
All Related Notes
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "persistence")SORT file.ctime DESC
windows
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows")SORT file.ctime DESC
active-directory
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "active-directory")SORT file.ctime DESC
persistence
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "persistence")SORT file.ctime DESC