Diamond Ticket: a real TGT with a forged PAC inside it
A Diamond Ticket edits a genuine KDC-issued TGT instead of fabricating one, so ticket-existence checks miss it. The only durable fix is the double KRBTGT reset.
A Golden Ticket fabricates a whole Kerberos TGT. A Diamond Ticket is subtler: it lets the KDC issue a real one, then quietly edits what is inside.
How the attack works
The attacker has already stolen the KRBTGT key. They request a real TGT for a low privileged user through the normal authentication flow, which looks entirely ordinary in the logs. Offline, with no domain controller interaction, they decrypt that legitimate ticket using the stolen KRBTGT key, inject privileged group SIDs such as Domain Admins into the embedded PAC, and re-encrypt it. The result is a TGT with a genuine KDC issued base and authentic metadata, carrying elevated membership the account never had. Presenting it, the session reaches a Tier-0 resource as that user. In ATT&CK terms this is T1558, Steal or Forge Kerberos Tickets, paired with T1550, Use Alternate Authentication Material.
Why it works
Because the base TGT genuinely came from the KDC, naive detections that look for a ticket with no matching authentication request find nothing. The KRBTGT key signs and encrypts every TGT, so whoever holds it can keep doctoring tickets for any account.
How to fix it
The scenario teaches that there is no per ticket kill switch. Blocking one doctored ticket and disabling one user leaves the stolen key valid, so fresh Diamond Tickets keep coming. The durable containment is the double KRBTGT reset: reset the KRBTGT password twice, spaced past the maximum ticket lifetime, so every ticket signed with the stolen key becomes invalid without breaking in-flight valid tickets. Then close how the key leaked, whether DCSync rights, a compromised DC or backup, or exposed NTDS material. Hunt by comparing each session’s asserted group SIDs against the account’s real directory membership, since ticket-existence hunts fail here.
Practice it
We built this as a GraphLattice Range scenario so responders can rehearse the double KRBTGT reset and the PAC mismatch hunt that catches a forged ticket inside a real one.