TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Recutting the Kerberos Diamond Ticket

2025-06-25 · Read original ↗

ATT&CK techniques detected

48 predictions
T1558.003Kerberoasting
87%
“’ “ describe ” function like a jeweler with a loupe, sometimes you need to zoom in on a kerberos ticket to see what it ' s really made of. instead of diamonds, you ' re inspecting encrypted ticket blobs with rubeus ’ / describe. kerberos tickets are at the heart of authentication…”
T1558.003Kerberoasting
87%
“- signature : 7c50b4a42f460f3b97f3f2d5 ( valid ) - this checksum ensures that the ticket remains secure while being processed by the kdc. * just a reminder, as noted in our previous blog post, “ ticket and fullpac checksums are not present in tgts or referrals. they are only pres…”
T1558.003Kerberoasting
84%
“encryption process. we ’ ll also examine the technical shortcomings of the current approach and explore why addressing these issues, particularly around the pac, is crucial for enhancing the opsec and practical viability of the diamond ticket in real - world scenarios. let ’ s cr…”
T1558.003Kerberoasting
75%
“##f by reading the gpttmpl. inf file, rubeus can retrieve the domain ' s configured password and kerberos policies. these settings dictate crucial behaviors such as password complexity requirements, how often passwords must be changed, and how long kerberos tickets remain valid. …”
T1558.003Kerberoasting
73%
“. the pac is a core component of kerberos tickets and is essential for both authentication and authorization within ad. below, we break down how rubeus ’ ldap function operates in technical detail. the networking. cs file handles how rubeus interacts with ldap in a given ad domai…”
T1201Password Policy Discovery
73%
“’ s kerberos policies and password policies primarily from the gpttmpl. inf file, which is stored in the sysvol directory for group policy objects ( gpos ). this file contains key settings related to password policies ( e. g., minimum password length, password expiration ) and ke…”
T1558.003Kerberoasting
73%
“- to - dc communication patterns - building siem rules that connect multiple indicators - remembering that even " normal - looking " authentication might be hiding forged tickets looking forward the polished diamond ticket technique shows that kerberos attacks keep evolving. as d…”
T1558.003Kerberoasting
72%
“513, 519, 518 ) similar to other attack tools, which are well - known and can serve as a clear indicator of compromise ( ioc ) if the pac can be decrypted. additionally, the pac lacks other critical details that would align it more closely with a legitimate ticket, such as accura…”
T1558.003Kerberoasting
72%
“up to close inspection with all the clarity, cut, and grade of the real thing and match legitimate kerberos tickets even on the wire or in the pac. service ticket functionality just as recutting a diamond enhances its clarity and value, we ’ ve refined the diamond ticket techniqu…”
T1558.003Kerberoasting
71%
“recutting the kerberos diamond ticket this blog was co - written with charlie clark ( @ exploitph ) introduction the kerberos " diamond ticket " has, much like an uncut diamond, been misunderstood and undervalued since its initial inception. when the proof of concept ( poc ) was …”
T1558.003Kerberoasting
71%
“for example, pac attributes ), and re - encrypted using the krbtgt aes256 key. the only difference between diamond and golden or silver tickets is this initial as exchange, making the authentication flow appear more legitimate on the surface. this perceived legitimacy is arguably…”
T1558.003Kerberoasting
70%
“mischief $ / nowrap / opsec / ticket : < output _ of _ service _ ticket > / service : < spn > / servicekey : < aes256 _ service _ key > figure 9 : terminal output showcasing using a ticket and / servicekey supplied to diamond figure 10 : final poc of diamond ’ s ability to forge …”
T1558.003Kerberoasting
66%
“secure communications between the user and the service, encoded in base64. this key is a shared secret established during the ticket - granting process. it ensures that only authorized parties can decrypt the session data and use its contents. 6. encrypted data - block one plain …”
T1558.003Kerberoasting
65%
“and demonstrate how the concept can be applied to service tickets ( sts ). imperfect diamond before we can appreciate the brilliance of an optimized " diamond ticket, " we need to examine its current form. much like an uncut diamond, the poc in its current state demonstrated in r…”
T1558.004AS-REP Roasting
63%
“##f by reading the gpttmpl. inf file, rubeus can retrieve the domain ' s configured password and kerberos policies. these settings dictate crucial behaviors such as password complexity requirements, how often passwords must be changed, and how long kerberos tickets remain valid. …”
T1558Steal or Forge Kerberos Tickets
61%
“in sophisticated attacks or tests. adding ldap integration to diamond tickets to address this issue, we made the decision to rework rubeus ’ forgeticket. cs and diamond. cs to support the / ldap parameter for diamond tickets. this enhancement ensures that the ldap attributes are …”
T1558.004AS-REP Roasting
61%
“. the pac is a core component of kerberos tickets and is essential for both authentication and authorization within ad. below, we break down how rubeus ’ ldap function operates in technical detail. the networking. cs file handles how rubeus interacts with ldap in a given ad domai…”
T1558.003Kerberoasting
60%
“logins. by extracting kerberos policies and ldap attributes, rubeus is capable of forging a valid tgt that mirrors the behavior of a legitimate kerberos ticket. this forged ticket allows attackers or testers to bypass standard authentication mechanisms and escalate privileges wit…”
T1558Steal or Forge Kerberos Tickets
56%
“- to - dc communication patterns - building siem rules that connect multiple indicators - remembering that even " normal - looking " authentication might be hiding forged tickets looking forward the polished diamond ticket technique shows that kerberos attacks keep evolving. as d…”
T1558Steal or Forge Kerberos Tickets
55%
“authentic - looking ticket that can pass even strict pac validation checks. adding / opsec integration to diamond tickets we ' ve also implemented support for the / opsec flag in diamond tickets to ensure the network traffic generated during ticket creation matches genuine window…”
T1558.004AS-REP Roasting
53%
“a vital role in linking authentication with authorization. the pac is the data set that services use to determine what the user is allowed to do once they have been authenticated. key pac roles : - user identity : the pac includes the user ’ s sid, which uniquely identifies them …”
T1558Steal or Forge Kerberos Tickets
52%
“logins. by extracting kerberos policies and ldap attributes, rubeus is capable of forging a valid tgt that mirrors the behavior of a legitimate kerberos ticket. this forged ticket allows attackers or testers to bypass standard authentication mechanisms and escalate privileges wit…”
T1558.003Kerberoasting
49%
“it ' s responsible for issuing and renewing tgts. in this case, the service is specific to the marvel. local domain. - servicerealm : marvel. local - the servicerealm is not where the service is located, but rather specifies the realm where the ticket was requested or issued. in …”
T1552.006Group Policy Preferences
49%
“’ s kerberos policies and password policies primarily from the gpttmpl. inf file, which is stored in the sysvol directory for group policy objects ( gpos ). this file contains key settings related to password policies ( e. g., minimum password length, password expiration ) and ke…”
T1558Steal or Forge Kerberos Tickets
48%
“is being used for. this was added by microsoft to protect against the samaccountname impersonation bug. 9. checksums and signatures * - serverchecksum : - signature type : kerb _ checksum _ hmac _ sha1 _ 96 _ aes256 - this is the type of checksum used to validate the integrity of…”
T1558.004AS-REP Roasting
47%
“513, 519, 518 ) similar to other attack tools, which are well - known and can serve as a clear indicator of compromise ( ioc ) if the pac can be decrypted. additionally, the pac lacks other critical details that would align it more closely with a legitimate ticket, such as accura…”
T1558Steal or Forge Kerberos Tickets
47%
“- authentication before the ticket can be issued. it ensures additional verification is needed, strengthening security. - initial : marks the ticket as the initial one, meaning it was issued at the beginning of the user ’ s session. - renewable : the ticket can be renewed without…”
T1558.003Kerberoasting
47%
“in sophisticated attacks or tests. adding ldap integration to diamond tickets to address this issue, we made the decision to rework rubeus ’ forgeticket. cs and diamond. cs to support the / ldap parameter for diamond tickets. this enhancement ensures that the ldap attributes are …”
T1558Steal or Forge Kerberos Tickets
47%
“and demonstrate how the concept can be applied to service tickets ( sts ). imperfect diamond before we can appreciate the brilliance of an optimized " diamond ticket, " we need to examine its current form. much like an uncut diamond, the poc in its current state demonstrated in r…”
T1558.003Kerberoasting
46%
“is being used for. this was added by microsoft to protect against the samaccountname impersonation bug. 9. checksums and signatures * - serverchecksum : - signature type : kerb _ checksum _ hmac _ sha1 _ 96 _ aes256 - this is the type of checksum used to validate the integrity of…”
T1558.003Kerberoasting
45%
“' ve got a golden twinkle in my eye, " presented at sans pentest and hackfest summit 2022 ) key insights from the diagram : - the pac resides within the authorization - data field of the ticket and is encrypted to protect its confidentiality. - for tgts, the krbtgt account key is…”
T1558.002Silver Ticket
45%
“up to close inspection with all the clarity, cut, and grade of the real thing and match legitimate kerberos tickets even on the wire or in the pac. service ticket functionality just as recutting a diamond enhances its clarity and value, we ’ ve refined the diamond ticket techniqu…”
T1558Steal or Forge Kerberos Tickets
43%
“for example, pac attributes ), and re - encrypted using the krbtgt aes256 key. the only difference between diamond and golden or silver tickets is this initial as exchange, making the authentication flow appear more legitimate on the surface. this perceived legitimacy is arguably…”
T1558.003Kerberoasting
43%
“logonserver : earth - dc - the domain controller that authenticated the user. it helps track where the authentication request was processed. - groups : 520, 512, 513, 519, 518 - a list of group rids that the user belongs to. these rids are important for defining what resources th…”
T1558.003Kerberoasting
43%
“diamond ticket poc. now that we ’ ve had more time to dig deeper, we figured there ’ s no better moment to revisit the concept and apply it directly to service tickets. what ’ s new our update allows you to apply the diamond forgery technique to service tickets, which are normall…”
T1558.003Kerberoasting
43%
“##apconnection object is initialized with the dc ’ s hostname or ip address, and authentication is performed using provided credentials ( plaintext password, ntlm hash, or kerberos ticket ). a. binding to the domain controller : - rubeus binds to the ldap service on the dc using …”
T1558.002Silver Ticket
42%
“mischief $ / nowrap / opsec / ticket : < output _ of _ service _ ticket > / service : < spn > / servicekey : < aes256 _ service _ key > figure 9 : terminal output showcasing using a ticket and / servicekey supplied to diamond figure 10 : final poc of diamond ’ s ability to forge …”
T1558.004AS-REP Roasting
42%
“##user : loki / ldappassword : mischief $ figure 6 : output showcasing rubeus ’ diamond action with new output when / ldap, / ldapuser and / ldappassword are supplied the complete transformation : every field corrected let ' s perform a detailed comparison of a decrypted diamond …”
T1558Steal or Forge Kerberos Tickets
42%
“recutting the kerberos diamond ticket this blog was co - written with charlie clark ( @ exploitph ) introduction the kerberos " diamond ticket " has, much like an uncut diamond, been misunderstood and undervalued since its initial inception. when the proof of concept ( poc ) was …”
T1558.002Silver Ticket
41%
“ground. golden and silver tickets just appear out of nowhere with no authentication flow. diamond tickets? they actually go through real as - req / as - rep or tgs - req / tgs - rep exchanges. combine this legitimate network traffic with our ldap - populated pac data, and you ' v…”
T1558.002Silver Ticket
38%
“diamond ticket poc. now that we ’ ve had more time to dig deeper, we figured there ’ s no better moment to revisit the concept and apply it directly to service tickets. what ’ s new our update allows you to apply the diamond forgery technique to service tickets, which are normall…”
T1558.004AS-REP Roasting
37%
“##apconnection object is initialized with the dc ’ s hostname or ip address, and authentication is performed using provided credentials ( plaintext password, ntlm hash, or kerberos ticket ). a. binding to the domain controller : - rubeus binds to the ldap service on the dc using …”
T1558.003Kerberoasting
36%
“a vital role in linking authentication with authorization. the pac is the data set that services use to determine what the user is allowed to do once they have been authenticated. key pac roles : - user identity : the pac includes the user ’ s sid, which uniquely identifies them …”
T1558Steal or Forge Kerberos Tickets
35%
“encryption process. we ’ ll also examine the technical shortcomings of the current approach and explore why addressing these issues, particularly around the pac, is crucial for enhancing the opsec and practical viability of the diamond ticket in real - world scenarios. let ’ s cr…”
T1558Steal or Forge Kerberos Tickets
35%
“’ “ describe ” function like a jeweler with a loupe, sometimes you need to zoom in on a kerberos ticket to see what it ' s really made of. instead of diamonds, you ' re inspecting encrypted ticket blobs with rubeus ’ / describe. kerberos tickets are at the heart of authentication…”
T1558.004AS-REP Roasting
33%
“in sophisticated attacks or tests. adding ldap integration to diamond tickets to address this issue, we made the decision to rework rubeus ’ forgeticket. cs and diamond. cs to support the / ldap parameter for diamond tickets. this enhancement ensures that the ldap attributes are …”
T1558.003Kerberoasting
32%
“ground. golden and silver tickets just appear out of nowhere with no authentication flow. diamond tickets? they actually go through real as - req / as - rep or tgs - req / tgs - rep exchanges. combine this legitimate network traffic with our ldap - populated pac data, and you ' v…”
T1558Steal or Forge Kerberos Tickets
30%
“up to close inspection with all the clarity, cut, and grade of the real thing and match legitimate kerberos tickets even on the wire or in the pac. service ticket functionality just as recutting a diamond enhances its clarity and value, we ’ ve refined the diamond ticket techniqu…”

Summary

Clear up common misconceptions about the Kerberos Diamond Ticket and learn how to refine the technique for better OPSEC, including more realistic PAC details and support for service tickets. You’ll learn how to apply the idea securely to both Ticket Granting Tickets and Service Tickets, creating forgeries that blend in more effectively with legitimate Kerberos traffic. The result is a stealthier alternative to traditional Silver Tickets and a more convincing method that raises the bar for Kerberos forgeries.