A
golden ticket attack forges Kerberos TGTs using the KRBTGT account hash — giving attackers persistent, unlimited access to all domain resources. Very hard to detect.
Requires Domain Admin to get KRBTGT hash (via DCSync or DC compromise). Mitigation: reset KRBTGT password twice (twice invalidates all existing tickets). Detect with unusual Kerberos ticket lifetimes or account usage patterns.