A Golden Ticket is a forged Kerberos ticket created from stolen domain-level cryptographic material. It gives the attacker durable access that can survive ordinary account resets, which makes it a persistence mechanism inside the identity layer.
Expanded Definition
A Golden Ticket is a Kerberos forgery that abuses the trust model of Active Directory by presenting a ticket signed with stolen domain-level cryptographic material, typically the kerberos ticket granting ticket key. Unlike a normal account compromise, it does not depend on the original user password remaining valid.
In NHI security, the term matters because the attacker is no longer acting as a single account holder. They are impersonating trust itself, which can let them request additional service tickets, move laterally, and maintain access across password resets and routine account cleanup. That is why Golden Tickets are best understood as a persistence technique inside the identity layer, not just an elevated credential.
Definitions vary slightly across vendors when discussing related Kerberos abuse, but the core idea is consistent: once the domain signing material is exposed, the attacker can mint tickets that appear legitimate to downstream systems. The most common misapplication is treating this as a simple password-reset problem, which occurs when defenders focus on the compromised user account instead of the domain credential material that enabled ticket forgery.
For broader identity governance context, NHI Management Group tracks how large the non-human attack surface can become in practice in the Ultimate Guide to NHIs, while the NIST Cybersecurity Framework 2.0 provides the operational language for detection, containment, and recovery.
Examples and Use Cases
Implementing defenses against Golden Tickets rigorously often introduces monitoring and recovery overhead, requiring organisations to weigh stronger intrusion resilience against the complexity of Kerberos visibility and incident response.
- A domain controller compromise exposes ticket-signing material, allowing an attacker to generate privileged tickets for multiple services without reusing the original intrusion path.
- A persistence-focused adversary mints a long-lived ticket to retain access after the service account password is changed or the initial foothold is removed.
- Blue teams detect unusual Kerberos service-ticket patterns, then rotate the affected trust material and rebuild affected domain controller secrets as part of containment.
- During incident review, teams compare the forged-ticket timeline against identity logs to determine whether lateral movement occurred before privileged account resets.
This term sits alongside other identity-layer compromise patterns discussed in NHI Management Group research, especially where identity sprawl and weak lifecycle controls widen attacker options in Ultimate Guide to NHIs. For implementation detail on broader defensive structure, NIST Cybersecurity Framework 2.0 is the most useful external anchor.
Why It Matters in NHI Security
Golden Tickets are important to NHI security because they show how a single trust anchor can undermine many service identities at once. When domain-level Kerberos material is exposed, ordinary controls such as password resets, account disablement, or token revocation may not be sufficient to restore trust.
This is especially relevant in environments where service accounts, automation, and directory-integrated workloads depend on long-lived identity assumptions. NHI Management Group notes that 80% of identity breaches involved compromised non-human identities such as service accounts and API keys, which helps explain why identity-layer persistence is so damaging when it occurs. The lesson is not that every Kerberos environment is equally exposed, but that weak secret governance and limited visibility make recovery slower and less certain.
The governance implication is straightforward: teams need tighter control over privileged directory credentials, faster detection of ticket abuse, and a recovery plan that assumes the trust fabric itself may be compromised. Organisations typically encounter the true operational cost only after a domain intrusion persists beyond password changes, at which point Golden Ticket response becomes operationally unavoidable to address.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| OWASP Non-Human Identity Top 10 | NHI-03 | Covers credential abuse and NHI persistence patterns that enable forged access. |
| NIST CSF 2.0 | PR.AA-01 | Identity assurance and authentication resilience are central to forged-ticket defense. |
| NIST Zero Trust (SP 800-207) | Zero Trust assumes no ticket should be trusted without continuous validation. |
Limit privilege, detect abnormal ticket use, and assume compromised trust material needs full remediation.
