detecting-golden-ticket-forgery

Solid

Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM

AI & Automation 12,642 stars 1468 forks Updated today Apache-2.0

Install

View on GitHub

Quality Score: 97/100

Stars 20%
100
Recency 20%
100
Frontmatter 20%
70
Documentation 15%
92
Issue Health 10%
50
License 10%
100
Description 5%
100

Skill Content

# Detecting Golden Ticket Forgery ## Overview A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtgt account NTLM hash, granting unrestricted access to any service in the Active Directory domain. This skill detects Golden Ticket usage by analyzing Event ID 4769 for RC4 encryption type (0x17) in environments enforcing AES, identifying tickets with abnormal lifetimes exceeding domain policy, correlating TGS requests with missing corresponding TGT requests (Event ID 4768), and detecting krbtgt password age anomalies. ## When to Use - When investigating security incidents that require detecting golden ticket forgery - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Windows Domain Controller with Kerberos audit logging enabled - Splunk or Elastic SIEM ingesting Windows Security event logs - Python 3.8+ for offline event log analysis - Knowledge of domain Kerberos encryption policy (AES vs RC4) ## Steps 1. Audit domain Kerberos encryption policy to establish AES-only baseline 2. Forward Event IDs 4768 and 4769 to SIEM platform 3. Detect RC4 (0x17) encryption in TGS requests where AES is enforced 4. Identify TGS requests without corresponding TGT requests (forged ticket indicator) 5. Alert on ticket lifetimes exceeding Ma...

Details

Author
mukul975
Repository
mukul975/Anthropic-Cybersecurity-Skills
Created
3 months ago
Last Updated
today
Language
Python
License
Apache-2.0

Similar Skills

Semantically similar based on skill content — not just same category

AI & Automation Featured

detecting-golden-ticket-attacks-in-kerberos-logs

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.

12,642 Updated today
mukul975
AI & Automation Solid

detecting-pass-the-ticket-attacks

Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM

12,642 Updated today
mukul975
AI & Automation Featured

conducting-pass-the-ticket-attack

Pass-the-Ticket (PtT) is a lateral movement technique that uses stolen Kerberos tickets (TGT or TGS) to authenticate to services without knowing the user's password. By extracting Kerberos tickets fro

12,642 Updated today
mukul975
AI & Automation Featured

detecting-kerberoasting-attacks

Detect Kerberoasting attacks by monitoring for anomalous Kerberos TGS requests targeting service accounts with SPNs for offline password cracking.

12,642 Updated today
mukul975
AI & Automation Featured

performing-kerberoasting-attack

Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names

12,642 Updated today
mukul975