Golden Ticket

The Golden Ticket for the domain should be reset. Microsoft has provided a script and instructions on this procedure . This procedure will ensure that if the “Golden Ticket” was stolen, it cannot be used in the future. Best practice is the “Golden Ticket” is reset on an annual or semi-annual basis. The “Golden Ticket” is used in Pass-the-Ticket attacks by tools such as Mimikatz.

See https://www.microsoft.com/security/blog/2015/02/11/krbtgt-account-password-reset-scripts-now-available-for-customers/

And https://adsecurity.org/?tag=goldenticket