Golden Ticket is a forged Kerberos TGT that an attacker can create after obtaining the KRBTGT account hash from Active Directory, allowing them to impersonate any user, including domain administrators, and gain unrestricted access to services across the domain without the need for Active Directory to validate the user’s existence or group membership. The ticket contains a Privilege Attribute Certificate (PAC) that defines the user’s identity and privileges, which Windows trusts without cross-checking with the domain controller.
ExtraSIDs can be included in the PAC to simulate inherited privileges, such as previous group memberships, enabling privilege escalation even for accounts that no longer have those roles.
KRBTGT hash for the child domain (In example we are doing DCSync because for forging we need to have child domain fully compromised)
SID for the child domain
Name of a Target User in the child domain (does not need to exist! We can make a fake name, like "hacker")
FQDN of the child domain
First it enumerates Domain SID via LSARPC, then bruteforces last (RID) part
Impacket also has the tool raiseChild, which will automate escalating from child to parent domain. We need to specify the target domain controller and credentials for an administrative user in the child domain; the script will do the rest.
PowerView
MimikatzRubeusWith same way you can grep groups you're interested in, or find common SID's in this site
Option /sids is for ExtraSIDs attack, explained here
