detecting-golden-ticket-attacks-in-kerberos-logs

Featured

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 99/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
100
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Golden Ticket Attacks in Kerberos Logs ## When to Use - When KRBTGT account hash may have been compromised via DCSync or NTDS.dit extraction - When hunting for forged Kerberos tickets used for persistent domain access - After incident response reveals credential theft at the domain level - When investigating impossible logon patterns (users logging in from multiple locations simultaneously) - During post-breach assessment to determine if Golden Tickets are in use ## Prerequisites - Windows Security Event IDs 4768, 4769, 4771 on domain controllers - Kerberos policy configuration knowledge (max ticket lifetime, encryption types) - Domain controller audit policy enabling Kerberos Service Ticket Operations - SIEM with ability to correlate Kerberos events across multiple DCs ## Workflow 1. **Monitor TGT Requests (Event 4768)**: Track Kerberos authentication service requests. Golden Tickets bypass the AS-REQ/AS-REP exchange entirely, so the absence of 4768 before 4769 is suspicious. 2. **Detect Encryption Type Anomalies**: Golden Tickets often use RC4 (0x17) encryption. If your domain enforces AES (0x12), any RC4 TGT is a red flag. Monitor TicketEncryptionType in Event 4769. 3. **Check Ticket Lifetime Anomalies**: Default Kerberos TGT lifetime is 10 hours with 7-day renewal. Golden Tickets can be forged with 10-year lifetimes. Detect tickets with durations exceeding policy. 4. **Hunt for Non-Existent SIDs**: Golden Tickets can include arbitrary SIDs (including non...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Solid

detecting-golden-ticket-forgery

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM

12,642 Updated today
mukul975
AI & Automation Solid

detecting-pass-the-ticket-attacks

Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM

12,642 Updated today
mukul975
AI & Automation Featured

detecting-kerberoasting-attacks

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.

12,642 Updated today
mukul975
AI & Automation Featured

conducting-domain-persistence-with-dcsync

Perform DCSync attacks to replicate Active Directory credentials and establish domain persistence by extracting KRBTGT, Domain Admin, and service account hashes for Golden Ticket creation.

12,642 Updated today
mukul975
AI & Automation Featured

conducting-pass-the-ticket-attack

Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets fro

12,642 Updated today
mukul975