A Golden Ticket attack forges a Kerberos ticket after an attacker obtains the KRBTGT hash in Active Directory. It can grant broad, durable access because the forged ticket is treated as trustworthy by the domain, making it a classic high-impact identity compromise.
Expanded Definition
A Golden Ticket attack is a post-compromise Kerberos abuse technique in Active Directory, where an attacker who has the KRBTGT hash forges tickets that appear valid to the domain. Because the ticket is cryptographically trusted, the attacker can impersonate users and often maintain access for long periods.
In NHI security terms, the practical risk is not just stolen access but trust boundary collapse. Kerberos was designed to reduce password handling, yet once the signing secret is exposed, the attacker can mint durable identity assertions that bypass normal authentication workflows. That makes this attack especially dangerous in environments with long-lived service accounts, weak tiering, or inadequate monitoring of privileged identity activity. For a broader view of how identity compromises escalate across modern environments, see Ultimate Guide to NHIs — Key Challenges and Risks and the Top 10 NHI Issues analysis.
The most common misapplication is treating a Golden Ticket as a simple account compromise, which occurs when teams rotate passwords on the wrong accounts while leaving the KRBTGT exposure and domain-wide trust problem unresolved.
Examples and Use Cases
Implementing detection and recovery rigorously often introduces operational friction, requiring organisations to weigh service continuity against the cost of deep credential hygiene and domain recovery work.
- An adversary steals the KRBTGT hash from a domain controller, forges a ticket, and moves laterally into file servers, backup systems, and domain-admin-equivalent paths without reauthenticating.
- A security team rotates user passwords after suspicious activity, but ignores the krbtgt account, allowing the attacker to keep using forged tickets until the trust secret is reset correctly.
- A compromise of a privileged admin workstation leads to ticket forging that survives routine password resets, showing why 52 NHI Breaches Analysis emphasizes durable credential abuse as a recurring breach pattern.
- An enterprise uses detections from CISA cyber threat advisories to spot abnormal ticket lifetimes, impossible group memberships, and unusual Kerberos service requests.
- During incident response, responders validate whether the attacker also abused service accounts, because Golden Ticket activity often appears alongside broader identity compromise rather than as a standalone event.
For practitioners studying adjacent attack behavior, Anthropic — first AI-orchestrated cyber espionage campaign report is useful context for how attackers chain identity access with automation.
Why It Matters in NHI Security
Golden Ticket attacks matter because they turn a single identity secret into broad, durable domain control. That pattern mirrors a wider NHI failure mode: Ultimate Guide to NHIs — Why NHI Security Matters Now notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. In practice, the issue is not only authentication but the lifecycle of privileged trust material, especially where monitoring is weak and recovery steps are unclear.
This is also why the attack belongs in Zero Trust conversations. If a domain secret can mint trusted access, then perimeter assumptions fail and identity governance must take over. The problem often persists because defenders focus on visible user accounts while missing service identities, delegation paths, and stale privileges that enable repeat compromise. The most effective response combines segmentation, credential rotation discipline, tight privileged access control, and forensic validation of ticket abuse patterns with guidance from CISA cyber threat advisories and the MITRE ATLAS adversarial AI threat matrix where automated attacker tradecraft intersects with identity abuse.
Organisations typically encounter the full impact only after lateral movement, domain persistence, or incident response reveals forged Kerberos tickets, at which point the Golden Ticket attack becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Highlights privileged secret compromise and durable access risks in non-human identities. |
| NIST CSF 2.0 | PR.AC-4 | Maps to least-privilege access control and identity-based authorization governance. |
| NIST Zero Trust (SP 800-207) | SC-7 | Zero Trust assumes no implicit trust, which directly counters forged ticket abuse. |
Treat KRBTGT and related secrets as crown-jewel NHI assets and monitor for forged trust artifacts.
