Previously on The Purple Team Chronicles
Michelle, the Blue Team lead, shut down the Red Team’s lateral movement attempts with forensic speed and Vicarius vRx telemetry. Alex, the Red Team lead, had seen most of his options walled off except one. His recon had uncovered something deeper, something more dangerous: domain-level compromise. And with it, the keys to the kingdom.
Forging the Skeleton Key
Alex knew this was the final card. From a compromised Domain Controller, he had access to DCSync functions. It was all he needed to extract the krbtgt hash the heart of Kerberos ticketing.
Red Team Tactics:
- T1003.006 – OS Credential Dumping: DCSync
- .\mimikatz.exe "privilege::debug" "lsadump::lsa /inject" exit
The hash was his. With it, he crafted a Golden Ticket a forged Kerberos ticket that would grant him unrestricted access across the domain.
Tactic:
- T1558.001 – Steal or Forge Kerberos Tickets
- .\mimikatz.exe "kerberos::golden /user:Administrator /domain:vrxdomain.local /sid:S-1-5-21-... /krbtgt:<hash> /id:500"
He loaded the ticket:
- .\mimikatz.exe "kerberos::ptt ticket.kirbi"
Just like that, Alex could impersonate any user, access any resource, and remain undetected. It wasn’t a backdoor. It was a master key.
“This,” he muttered, “is what it means to own the domain.”
Michelle Smells the Smoke
Michelle was conducting a post-incident review when she saw it a spike in Kerberos authentication requests on critical servers. Nothing should’ve triggered that.
She drilled into the logs:
Get-WinEvent -LogName Security | Where-Object {$_.ID -in 4769, 4771}
One thing stood out: the source of the requests was using perfectly valid tickets but from a host that shouldn’t be issuing them. It smelled like a Golden Ticket attack.
Her response was instant.
Mitigation Steps:
- Rotate the krbtgt password twice (rendering old tickets useless):
$SecurePassword = ConvertTo-SecureString "NewSecurePassword123!" -AsPlainText -Force
Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword $SecurePassword
- Waited, then rotated again to fully invalidate all prior ticket generations.
“No skeleton keys in my house,” Michelle said. “We’re resetting the locks.”
Parallel Play: Domain-Level Showdown
Red Team Actions:
- Extracted the krbtgt hash via DCSync
- Forged a Golden Ticket
- Gained full domain access, impersonating high-privilege accounts
Blue Team Actions:
- Detected anomalous Kerberos ticket activity
- Cross-referenced logs via Vicarius vRx to isolate the issuing host
- Rotated the krbtgt account password twice
- Blocked the source host’s traffic and initiated forensic capture
Vicarius in Action: Domain-Wide Trust Defense
With Vicarius vRx, Michelle:
- Correlated Kerberos authentication spikes with recent host-based alerts
- Flagged use of unauthorized ticket issuing even with valid hashes
- Launched a response playbook to force krbtgt rotation and isolate the attacker’s host.
vRx’s strength wasn’t just detection it enabled orchestration at scale.
Real-World Parallel
This mimics real-world techniques used in the NotPetya attack and APT29 operations, where ticket forging allowed attackers to roam freely for weeks before discovery. In such attacks, traditional security fails because the credentials are “valid.”
Key Takeaways
- Golden Tickets are the ultimate form of stealth privilege escalation
- Detection requires deep visibility into authentication behavior, not just signature-based rules
- krbtgt rotation is critical after suspected compromise and must be done twice
- Vicarius vRx provides the visibility, automation, and orchestration to execute response strategies in minutes, not hours
Next Time on
The Purple Team Chronicles
Episode 5: From Adversaries to Allies – The Birth of a Purple Team
After the war, comes the transformation. Michelle and Alex debrief and begin building the future of cyber defense together.
