8.3 - Diamond Ticket
Diamond Ticket (TGT Modification Attack)
A Diamond Ticket is a modified version of a legitimate TGT (Ticket Granting Ticket). Unlike Golden Tickets, which are completely forged from scratch, Diamond Tickets are based on real TGTs that are decrypted, modified, and re-encrypted using the krbtgt account key.
Key Characteristics
A Diamond Ticket is a TGT modification attack, whereas a Golden Ticket is a TGT forgery attack.
A legitimate TGT is captured and decrypted, its content (e.g., username, groups) is modified, and then it is re-encrypted with the krbtgt AES key.
The ticket will have valid timestamps, since they are inherited from a real DC-issued ticket.
More stealthy than Golden Tickets because:
TGT appears genuinely issued by the DC.
TGS requests based on this ticket match an actual TGT.
Less detectable by SIEMs and monitoring tools.
Persistence duration depends on TGT lifetime and krbtgt key rotation policy.
Forge a Diamond Ticket with Credentials
You can use Rubeus to create a Diamond Ticket using the krbtgt AES key and the credentials of a domain user:
Forge a Diamond Ticket Using /tgtdeleg
/tgtdeleg
If you already have a TGT delegation token (captured via Rubeus tgtdeleg
), you can generate a Diamond Ticket without needing user credentials:
Parameters Explained
/diamond
Rubeus module for crafting a Diamond Ticket.
/krbkey:<key>
AES256 key of the krbtgt
account (required for re-encryption).
/user:studentx
+ /password:...
Domain user credentials to request the real TGT.
/tgtdeleg
Uses a captured TGT delegation token instead of user credentials.
/ticketuser:administrator
User to impersonate in the new ticket.
/ticketuserid:500
RID of the impersonated user (default 500 = Administrator).
/groups:512
Groups the impersonated user should be a member of.
/domain
, /dc
Target domain and Domain Controller.
/enctype:aes
Encryption type (must match the krbtgt key used).
/createnetonly:<path>
Creates a netonly logon session to isolate the context (e.g., spawn cmd).
/show
Displays the forged ticket before injection.
/ptt
Injects the forged ticket into the current session.
Labs
Last updated