Golden Ticket
Forge a TGT using a stolen krbtgt hash to impersonate any principal in the domain.
§ Where this technique fits
T1558.001 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 4 on average.
Authoritative reference: attack.mitre.org/techniques/T1558/001/.
§ Dossiers chaining this technique
- step 3 / 7
Post-Domain Admin persistence: Golden Ticket + DCShadow + AdminSDHolder
Once Domain Admin is achieved, plant layered persistence so a krbtgt rotation, password resets, and ACL clean-up do not all evict the attacker.
- step 4 / 6
Cross-trust attack: child → parent forest via SID History
Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust.
- step 5 / 5
ZeroLogon (CVE-2020-1472) → Domain takeover
Unauthenticated attacker abuses the Netlogon AES-CFB8 flaw to reset a DC's machine account password to empty, dumps secrets, and restores the original password.
§ What commonly comes next
- 01AdminSDHolder Abuseseen 1×AD-ADMINSDHOLDER · Persistence
- 02Steal or Forge Kerberos Ticketsseen 1×T1558 · Credential Access