Kerberos Golden Ticket Technique
'The Golden Ticket' is the ultimate technique in Windows Kerberos domain persistence. It allows an attacker to sign their own kerberos authentication tickets as any user they wish, regardless of that user's password. An adversary who has achieved local administrator access to the primary domain controller can now persist as any user on the domain, even if that target user's password changes, until the user account krbtgt on the domain controller has had a password reset. The end goal of this technique being that the attacker has achieved domain admin level persistence on the network without requiring any backdoor payloads and without relying on any general user passwords, by being able to sign his own kerberos authentication tickets off line. Ultimately, this means the attacker can lose access through his initial vectors but persist until the victim resets key accounts (ideally, all of the passwords), a necessary remediation step after any full compromise.
The attack is relatively easy, all one needs is a domain username they wish to impersonate, the username of a domain admin, the SID for the domain, and the password hash of the krbtgt user off the domain controller. The first three items can be acquired with basic recon, thus the only real requirement is having achieved local administrator access to the domain controller one time and dumping the user password hashes. The ticket can be generated offline with the popular tools Mimkatz or Meterpreter.
http://blog.gentilkiwi.com/securite/mimikatz/golden-ticket-kerberos
http://rycon.hu/papers/goldenticket.html
Remediation steps are simple and absolutely critical once the domain controller has been compromised and hashes have been dumped, simply reset the krbtgt (and local administrator) user password(s) on the domain controller. When reseting the krbtgt user password make sure to do it twice (double tap), as the system will honor the last two hashes!! Step by step instructions are at:
http://cert.europa.eu/static/WhitePapers/CERT-EU-SWP_14_07_PassTheGolden_Ticket_v1_1.pdf
*Update* You can now use Microsoft's new Reset-KrbtgtKeyInteractive for a guided way to reset the krgtgt hash and make sure it propagates across all writable DCs. You can read more about it in their release statements.