The ticket that never expires (Golden Ticket)
Steal the krbtgt account's key and an attacker can forge Kerberos tickets for any user, with any privileges, for as long as they like. Here is the Golden Ticket, why it is so hard to evict, and the fix.
Evicting an attacker from a domain is hard when they can simply sign themselves a new ticket whenever they want.
What it is
Kerberos ticket-granting tickets are signed with the krbtgt account’s key. An attacker who obtains that key, via DCSync or a domain controller compromise, forges a Golden Ticket: a TGT for any user, with any group memberships, valid for as long as they choose. This is T1558.001.
Why it works
The forged ticket is cryptographically valid, so every service accepts it, and it survives user password resets. Only rotating the krbtgt key removes it, and that must be done twice to fully cycle.
How to detect it
Look for ticket-granting tickets with anomalous lifetimes or for nonexistent or privileged users, tickets that do not correspond to a real authentication, and encryption downgraded to RC4.
The fix that holds
Protect domain controllers and the krbtgt key as Tier 0, rotate krbtgt twice on any suspicion of DC compromise, and monitor for ticket anomalies. Recovery from a confirmed Golden Ticket means treating the whole domain as compromised.
Practice it
We built a Golden Ticket scenario in GraphLattice Range so teams learn why this is persistence at the root of trust, and what real eviction requires.