A
golden ticket attack forges Kerberos TGTs using the KRBTGT account hash — giving unlimited, persistent access to all domain resources. Very hard to detect.
Requires Domain Admin first (to extract KRBTGT hash). Mitigation: reset KRBTGT password TWICE (twice invalidates all existing tickets). Detect via unusual ticket lifetimes. Microsoft's Defender Identity catches golden ticket attacks.