Keeping attackers out: golden tickets, silver tickets, and full domain recovery

Reading time: 13 min


  • 03/2021
Johann Scheepers

Incident Response Consultant

For an organization to recover fully from an incident, the attacker responsible must not only be removed, but eradicated. That means severing their way back in. 

Golden ticket attacks are well-recognized and have been known to give attackers access to their target’s systems for years, but they are not the only means for them to totally and repeatedly compromise a domain.

This short paper is a guide to Kerberos-based attacks that exploit legitimate functionality in Active Directory (AD). It includes guidance on how to remediate golden and silver ticket use, reset KRBTGT, and recover fully from domain controller compromise. Written from an incident response perspective, readers will come to appreciate the scale of the risk associated with both types of attack and discover the means with which this risk can be remediated.

What you’ll learn:

  • A more effective way to remediate the use of golden tickets in your environment than doing it manually
  • How to reset KRBTGT
  • Why silver ticket attacks need just as much attention as their golden equivalent
  • How to remediate them
  • Why it is so challenging to detect golden and silver ticket attacks in the first place
  • How to recover from a domain controller compromise, step-by-step
  • The other factors to prepare for and consider in your domain recovery plan

Related resources

Incident readiness & response

WithSecure's™ cyber security experts pre-empt, prepare for & counteract cyber security incidents with state-of-the-art incident response software and solutions.

Read more