https://blog.it-learn.io/tags/golden-ticket/Recent content in Golden-Ticket on it-learn.io | IT, Networking & Cybersecurity BlogHugoen-usMon, 27 Apr 2026 00:00:00 +0000https://blog.it-learn.io/posts/2026-04-27-active-directory-persistence-5-ways-attackers-stay/Mon, 27 Apr 2026 00:00:00 +0000https://blog.it-learn.io/posts/2026-04-27-active-directory-persistence-5-ways-attackers-stay/<p>Gaining Domain Admin access is not the end of an attack — it is often the beginning of the persistence phase. Sophisticated threat actors know that initial access can be detected and terminated. Their goal is to establish mechanisms that survive eviction attempts: password resets, account disabling, even partial domain rebuilds.</p> <p>Active Directory offers attackers a rich surface for persistence. The Kerberos architecture, the replication model, the inheritance-based permission system, and the in-memory authentication stack on domain controllers each present opportunities for durable footholds. Understanding these five techniques is essential for anyone responsible for AD security — both to detect active persistence and to assess residual risk after an incident.</p>https://blog.it-learn.io/posts/2026-04-23-golden-ticket-attack-forging-kerberos-tickets/Thu, 23 Apr 2026 00:00:00 +0000https://blog.it-learn.io/posts/2026-04-23-golden-ticket-attack-forging-kerberos-tickets/<p>When an attacker extracts the KRBTGT hash from a domain controller, they no longer need credentials, valid accounts, or even network connectivity to the KDC to authenticate as anyone in the domain. They become, effectively, the Kerberos authority itself — able to issue their own tickets for any identity, any group membership, any privilege level, with expiration dates set a decade into the future. This is the Golden Ticket attack.</p>