Golden-Ticket

Quick Reference Technique Requirement Detection Risk DCSync Domain Admin or explicit replication rights High — replication request from non-DC Golden Ticket krbtgt NTLM + AES256 hash, domain SID Medium — no TGT event (4768) on DC Silver Ticket Service account NTLM hash, domain SID, SPN Low — no DC contact at all Diamond Ticket krbtgt AES256, valid user credentials Low — based on a real TGT NTDS.dit VSS Shell on DC, local admin High — shadow copy creation event DPAPI Backup Key Domain Admin, DC access Medium — LDAP/RPC request to DC ACL-based (DCSync rights) WriteDACL or GenericAll on domain root Low — ACL change may not alert Machine Account creation Any user with MachineAccountQuota > 0 Low Pass-the-Hash persistence Local admin hash, no domain rights needed Low — appears as normal auth DCSync What It Is DCSync abuses the Directory Replication Service (DRS) protocol. Domain controllers use DRS to replicate directory data between themselves. The GetNCChanges function is the core RPC call used. Any account with the following rights on the domain root object can invoke this: ...

Quick Reference Table Technique Tool Requirement Stealth Level Golden Ticket Mimikatz / Rubeus krbtgt hash + DOMAIN_SID Medium Silver Ticket Mimikatz / Rubeus Service account hash High Diamond Ticket Rubeus krbtgt AES256 + DA creds High DCSync rights backdoor PowerView Domain Admin Low AdminSDHolder abuse PowerView Domain Admin Low DPAPI Backup Key SharpDPAPI Domain Admin High Skeleton Key Mimikatz Domain Admin (LSASS access) Low WMI Event Subscription PowerShell Local Admin Medium SID History Mimikatz Domain Admin Medium DCSync What it is: Abuse of the Directory Replication Service (DRS) protocol to impersonate a domain controller and request password data for any account directly from a legitimate DC. No file on disk needs to be touched — the DC simply hands over the hashes on request, because that is exactly what the DRS protocol is designed to do between DCs. ...