threat hunting

Detecting Golden Ticket Attacks in Kerberos Logs

Detect Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including mismatched encryption types, impossible ticket lifetimes, non-existent accounts, and forged PAC signatures in domain controller event logs.

active-directorycredential-abusegolden-ticketkerberosmitre-t1558-001threat-hunting
Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-Skills
Framework mappings

When to Use

  • When KRBTGT account hash may have been compromised via DCSync or NTDS.dit extraction
  • When hunting for forged Kerberos tickets used for persistent domain access
  • After incident response reveals credential theft at the domain level
  • When investigating impossible logon patterns (users logging in from multiple locations simultaneously)
  • During post-breach assessment to determine if Golden Tickets are in use

Prerequisites

  • Windows Security Event IDs 4768, 4769, 4771 on domain controllers
  • Kerberos policy configuration knowledge (max ticket lifetime, encryption types)
  • Domain controller audit policy enabling Kerberos Service Ticket Operations
  • SIEM with ability to correlate Kerberos events across multiple DCs

Workflow

  1. Monitor TGT Requests (Event 4768): Track Kerberos authentication service requests. Golden Tickets bypass the AS-REQ/AS-REP exchange entirely, so the absence of 4768 before 4769 is suspicious.
  2. Detect Encryption Type Anomalies: Golden Tickets often use RC4 (0x17) encryption. If your domain enforces AES (0x12), any RC4 TGT is a red flag. Monitor TicketEncryptionType in Event 4769.
  3. Check Ticket Lifetime Anomalies: Default Kerberos TGT lifetime is 10 hours with 7-day renewal. Golden Tickets can be forged with 10-year lifetimes. Detect tickets with durations exceeding policy.
  4. Hunt for Non-Existent SIDs: Golden Tickets can include arbitrary SIDs (including non-existent accounts or groups). Correlate TGS requests against known AD SID inventory.
  5. Detect TGS Without Prior TGT: When a service ticket (4769) appears without a preceding TGT request (4768) from the same IP/account, this may indicate a pre-existing Golden Ticket.
  6. Monitor KRBTGT Password Age: Track when KRBTGT was last reset. If KRBTGT hash hasn't changed since a known compromise, Golden Tickets from that period remain valid.
  7. Validate PAC Signatures: With KB5008380+ and PAC validation enforcement, domain controllers reject forged PACs. Monitor for Kerberos failures indicating PAC validation errors.

Detection Queries

Splunk -- RC4 Encryption in Kerberos TGS

index=wineventlog EventCode=4769
| where TicketEncryptionType="0x17"
| where ServiceName!="krbtgt"
| stats count by TargetUserName ServiceName IpAddress TicketEncryptionType Computer
| where count > 5
| sort -count

Splunk -- TGS Without Prior TGT

index=wineventlog (EventCode=4768 OR EventCode=4769)
| stats earliest(_time) as first_tgt by TargetUserName IpAddress EventCode
| eventstats earliest(eval(if(EventCode=4768, first_tgt, null()))) as tgt_time by TargetUserName IpAddress
| where EventCode=4769 AND (isnull(tgt_time) OR first_tgt < tgt_time)
| table TargetUserName IpAddress first_tgt tgt_time

KQL -- Golden Ticket Indicators

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName != "krbtgt"
| summarize Count=count() by TargetUserName, IpAddress, ServiceName
| where Count > 5

Common Scenarios

  1. Post-DCSync Golden Ticket: After extracting KRBTGT hash, attacker forges TGT with Domain Admin SID, valid for months until KRBTGT is rotated twice.
  2. RC4 Downgrade: Golden Ticket forged with RC4 encryption in an AES-only environment, detectable by encryption type mismatch.
  3. Cross-Domain Golden Ticket: Forged inter-realm TGT used to pivot between AD domains/forests.
  4. Persistence After Remediation: Golden Tickets surviving password resets because KRBTGT was only rotated once (both current and previous hashes are valid).

Output Format

Hunt ID: TH-GOLDEN-[DATE]-[SEQ]
Suspected Account: [Account using forged ticket]
Source IP: [Client IP]
Target Service: [SPN accessed]
Encryption Type: [RC4/AES128/AES256]
Anomaly: [No prior TGT/RC4 in AES environment/Extended lifetime]
KRBTGT Last Reset: [Date]
Risk Level: [Critical]
Source materials

References and resources

Everything below is rendered for inspection. Script files are read-only and never run.

References 1

api-reference.md1.6 KB

API Reference: Detecting Golden Ticket Attacks in Kerberos Logs

Key Windows Event IDs

Event ID Description Golden Ticket Signal
4768 TGT Requested (AS-REQ) RC4 encryption, anomalous domain
4769 TGS Requested (TGS-REQ) No prior 4768, forged TGT
4771 Kerberos Pre-Auth Failed Non-existent account (0x6)

Kerberos Encryption Types

Code Algorithm Suspicion
0x11 AES128-CTS Normal (modern)
0x12 AES256-CTS Normal (preferred)
0x17 RC4-HMAC Suspicious (Mimikatz default)
0x18 RC4-HMAC-EXP Suspicious

python-evtx Usage

import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
    for record in log.records():
        xml = record.xml()
        # Parse Events 4768, 4769, 4771
        # Check TicketEncryptionType, TargetUserName

Splunk SPL Detection

index=wineventlog EventCode=4769
| join type=left TargetUserName [
    search index=wineventlog EventCode=4768
    | rename TargetUserName as tgt_user
]
| where isnull(tgt_user)
| table _time TargetUserName ServiceName IpAddress Computer

KQL (Microsoft Sentinel)

SecurityEvent
| where EventID == 4768
| where TicketEncryptionType in ("0x17", "0x18")
| where TargetUserName !endswith "$"
| project TimeGenerated, TargetUserName, IpAddress, TicketEncryptionType

Mimikatz Golden Ticket Command

kerberos::golden /user:admin /domain:corp.local /sid:S-1-5-21-... /krbtgt:hash /ptt

CLI Usage

python agent.py --security-log Security.evtx --domain corp.local
python agent.py --generate-sigma

Scripts 1

agent.py6.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Golden Ticket attack detection agent for Kerberos log analysis.

Parses Windows Security Event IDs 4768, 4769, 4771 to detect forged TGTs
with anomalous encryption types, impossible lifetimes, and non-existent accounts.
"""

import argparse
import json
import re
from datetime import datetime

try:
    import Evtx.Evtx as evtx
except ImportError:
    evtx = None

ENCRYPTION_TYPES = {
    "0x1": "DES-CBC-CRC", "0x3": "DES-CBC-MD5",
    "0x11": "AES128-CTS", "0x12": "AES256-CTS",
    "0x17": "RC4-HMAC", "0x18": "RC4-HMAC-EXP",
}

GOLDEN_TICKET_INDICATORS = {
    "rc4_encryption": {"desc": "RC4 encryption used (0x17) instead of AES",
                        "severity": "HIGH", "mitre": "T1558.001"},
    "impossible_lifetime": {"desc": "TGT lifetime exceeds policy maximum",
                             "severity": "CRITICAL", "mitre": "T1558.001"},
    "non_existent_account": {"desc": "TGS request for non-existent account",
                              "severity": "CRITICAL", "mitre": "T1558.001"},
    "no_tgt_request": {"desc": "TGS (4769) without prior TGT (4768)",
                        "severity": "HIGH", "mitre": "T1558.001"},
    "domain_field_mismatch": {"desc": "Domain field differs from environment",
                               "severity": "HIGH", "mitre": "T1558.001"},
}

MAX_TGT_LIFETIME_HOURS = 10
EXPECTED_DOMAIN = ""


def parse_kerberos_events(filepath):
    if evtx is None:
        return {"error": "python-evtx not installed: pip install python-evtx"}

    tgt_requests = {}
    tgs_requests = []
    findings = []

    with evtx.Evtx(filepath) as log:
        for record in log.records():
            xml = record.xml()
            event_id_match = re.search(r'<EventID[^>]*>(\d+)</EventID>', xml)
            if not event_id_match:
                continue
            event_id = int(event_id_match.group(1))
            time_match = re.search(r'SystemTime="([^"]+)"', xml)
            timestamp = time_match.group(1) if time_match else ""

            if event_id == 4768:
                user = re.search(r'<Data Name="TargetUserName">([^<]+)', xml)
                domain = re.search(r'<Data Name="TargetDomainName">([^<]+)', xml)
                ticket_enc = re.search(r'<Data Name="TicketEncryptionType">([^<]+)', xml)
                client_addr = re.search(r'<Data Name="IpAddress">([^<]+)', xml)
                status = re.search(r'<Data Name="Status">([^<]+)', xml)

                username = user.group(1) if user else ""
                enc_type = ticket_enc.group(1) if ticket_enc else ""

                if username and not username.endswith("$"):
                    tgt_requests[username.lower()] = timestamp

                if enc_type.lower() in ("0x17", "0x18"):
                    findings.append({
                        "event_id": 4768, "timestamp": timestamp,
                        "user": username,
                        "encryption_type": ENCRYPTION_TYPES.get(enc_type.lower(), enc_type),
                        "indicator": "rc4_encryption",
                        **GOLDEN_TICKET_INDICATORS["rc4_encryption"],
                    })

            elif event_id == 4769:
                user = re.search(r'<Data Name="TargetUserName">([^<]+)', xml)
                service = re.search(r'<Data Name="ServiceName">([^<]+)', xml)
                ticket_enc = re.search(r'<Data Name="TicketEncryptionType">([^<]+)', xml)
                client_addr = re.search(r'<Data Name="IpAddress">([^<]+)', xml)

                username = user.group(1) if user else ""
                base_user = username.split("@")[0].lower() if "@" in username else username.lower()

                if base_user and base_user not in tgt_requests and not base_user.endswith("$"):
                    findings.append({
                        "event_id": 4769, "timestamp": timestamp,
                        "user": username,
                        "service": service.group(1) if service else "",
                        "indicator": "no_tgt_request",
                        **GOLDEN_TICKET_INDICATORS["no_tgt_request"],
                    })

            elif event_id == 4771:
                user = re.search(r'<Data Name="TargetUserName">([^<]+)', xml)
                failure = re.search(r'<Data Name="Status">([^<]+)', xml)
                status_code = failure.group(1) if failure else ""
                if status_code == "0x6":
                    findings.append({
                        "event_id": 4771, "timestamp": timestamp,
                        "user": user.group(1) if user else "",
                        "status": "KDC_ERR_C_PRINCIPAL_UNKNOWN",
                        "indicator": "non_existent_account",
                        **GOLDEN_TICKET_INDICATORS["non_existent_account"],
                    })

    return {"tgt_requests": len(tgt_requests), "findings": findings}


def generate_sigma_rule():
    return {
        "title": "Golden Ticket - TGS Without Prior TGT",
        "status": "stable",
        "logsource": {"product": "windows", "service": "security"},
        "detection": {
            "tgs": {"EventID": 4769},
            "tgt": {"EventID": 4768},
            "condition": "tgs and not tgt",
        },
        "level": "high",
        "tags": ["attack.credential_access", "attack.t1558.001"],
    }


def main():
    parser = argparse.ArgumentParser(description="Golden Ticket Attack Detector")
    parser.add_argument("--security-log", help="Windows Security EVTX file")
    parser.add_argument("--domain", default="", help="Expected AD domain name")
    parser.add_argument("--generate-sigma", action="store_true")
    args = parser.parse_args()

    global EXPECTED_DOMAIN
    EXPECTED_DOMAIN = args.domain

    results = {"timestamp": datetime.utcnow().isoformat() + "Z"}

    if args.security_log:
        parsed = parse_kerberos_events(args.security_log)
        if isinstance(parsed, dict) and "error" in parsed:
            results["error"] = parsed["error"]
        else:
            results.update(parsed)
            results["total_findings"] = len(parsed.get("findings", []))

    if args.generate_sigma:
        results["sigma_rule"] = generate_sigma_rule()

    print(json.dumps(results, indent=2))


if __name__ == "__main__":
    main()
Keep exploring