Esc
Golden Ticket - T1558.001
(ATT&CK® Technique)
Definition
Adversaries who have the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), also known as a golden ticket. Golden tickets enable adversaries to generate authentication material for any account in Active Directory.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1558001["Golden Ticket"] --> |forges| KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"]; class T1558001 OffensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode; click KerberosTicketGrantingTicket href "/dao/artifact/d3f:KerberosTicketGrantingTicket";
click T1558001 href "/offensive-technique/attack/T1558.001/"; click KerberosTicketGrantingTicket href "/dao/artifact/d3f:KerberosTicketGrantingTicket"; T1558001["Golden Ticket"] --> |may-access| KerberosTicket["Kerberos Ticket"]; class T1558001 OffensiveTechniqueNode;
class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
click T1558001 href "/offensive-technique/attack/T1558.001/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; T1558001["Golden Ticket"] --> |may-create| KerberosTicket["Kerberos Ticket"]; class T1558001 OffensiveTechniqueNode;
class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
click T1558001 href "/offensive-technique/attack/T1558.001/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; CredentialRevocation["Credential Revocation"] -->
| deletes | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1558001["Golden Ticket"] ;
class CredentialRevocation DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1558001["Golden Ticket"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRotation["Credential Rotation"] -->
| regenerates | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1558001["Golden Ticket"] ;
class CredentialRotation DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; TokenBinding["Token Binding"] -->
| strengthens | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
TokenBinding["Token Binding"] -.->
| may-harden | T1558001["Golden Ticket"] ;
class TokenBinding DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; CredentialRevocation["Credential Revocation"] -->
| deletes | KerberosTicket["Kerberos Ticket"];
class CredentialRevocation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | KerberosTicket["Kerberos Ticket"];
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRotation["Credential Rotation"] -->
| regenerates | KerberosTicket["Kerberos Ticket"];
class CredentialRotation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; TokenBinding["Token Binding"] -->
| strengthens | KerberosTicket["Kerberos Ticket"];
class TokenBinding DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1558001["Golden Ticket"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1558001["Golden Ticket"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | KerberosTicket["Kerberos Ticket"];
class DecoyUserCredential DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | KerberosTicket["Kerberos Ticket"];
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1558001["Golden Ticket"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | KerberosTicket["Kerberos Ticket"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; ReissueCredential["Reissue Credential"] -->
| restores | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1558001["Golden Ticket"] ;
class ReissueCredential DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialHardening["Credential Hardening"] -->
| hardens | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1558001["Golden Ticket"] ;
class CredentialHardening DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; ReissueCredential["Reissue Credential"] -->
| restores | KerberosTicket["Kerberos Ticket"];
class ReissueCredential DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialHardening["Credential Hardening"] -->
| hardens | KerberosTicket["Kerberos Ticket"];
class CredentialHardening DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1558001["Golden Ticket"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
Token-basedAuthentication["Token-based Authentication"] -.->
| may-harden | T1558001["Golden Ticket"] ;
class Token-basedAuthentication DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | KerberosTicket["Kerberos Ticket"];
class CredentialTransmissionScoping DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | KerberosTicket["Kerberos Ticket"];
class Token-basedAuthentication DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication";