Install this skill
npx skills add mukul975/Anthropic-Cybersecurity-SkillsFramework mappings
MITRE ATT&CK
When to Use
- When KRBTGT account hash may have been compromised via DCSync or NTDS.dit extraction
- When hunting for forged Kerberos tickets used for persistent domain access
- After incident response reveals credential theft at the domain level
- When investigating impossible logon patterns (users logging in from multiple locations simultaneously)
- During post-breach assessment to determine if Golden Tickets are in use
Prerequisites
- Windows Security Event IDs 4768, 4769, 4771 on domain controllers
- Kerberos policy configuration knowledge (max ticket lifetime, encryption types)
- Domain controller audit policy enabling Kerberos Service Ticket Operations
- SIEM with ability to correlate Kerberos events across multiple DCs
Workflow
- Monitor TGT Requests (Event 4768): Track Kerberos authentication service requests. Golden Tickets bypass the AS-REQ/AS-REP exchange entirely, so the absence of 4768 before 4769 is suspicious.
- Detect Encryption Type Anomalies: Golden Tickets often use RC4 (0x17) encryption. If your domain enforces AES (0x12), any RC4 TGT is a red flag. Monitor TicketEncryptionType in Event 4769.
- Check Ticket Lifetime Anomalies: Default Kerberos TGT lifetime is 10 hours with 7-day renewal. Golden Tickets can be forged with 10-year lifetimes. Detect tickets with durations exceeding policy.
- Hunt for Non-Existent SIDs: Golden Tickets can include arbitrary SIDs (including non-existent accounts or groups). Correlate TGS requests against known AD SID inventory.
- Detect TGS Without Prior TGT: When a service ticket (4769) appears without a preceding TGT request (4768) from the same IP/account, this may indicate a pre-existing Golden Ticket.
- Monitor KRBTGT Password Age: Track when KRBTGT was last reset. If KRBTGT hash hasn't changed since a known compromise, Golden Tickets from that period remain valid.
- Validate PAC Signatures: With KB5008380+ and PAC validation enforcement, domain controllers reject forged PACs. Monitor for Kerberos failures indicating PAC validation errors.
Detection Queries
Splunk -- RC4 Encryption in Kerberos TGS
index=wineventlog EventCode=4769
| where TicketEncryptionType="0x17"
| where ServiceName!="krbtgt"
| stats count by TargetUserName ServiceName IpAddress TicketEncryptionType Computer
| where count > 5
| sort -countSplunk -- TGS Without Prior TGT
index=wineventlog (EventCode=4768 OR EventCode=4769)
| stats earliest(_time) as first_tgt by TargetUserName IpAddress EventCode
| eventstats earliest(eval(if(EventCode=4768, first_tgt, null()))) as tgt_time by TargetUserName IpAddress
| where EventCode=4769 AND (isnull(tgt_time) OR first_tgt < tgt_time)
| table TargetUserName IpAddress first_tgt tgt_timeKQL -- Golden Ticket Indicators
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName != "krbtgt"
| summarize Count=count() by TargetUserName, IpAddress, ServiceName
| where Count > 5Common Scenarios
- Post-DCSync Golden Ticket: After extracting KRBTGT hash, attacker forges TGT with Domain Admin SID, valid for months until KRBTGT is rotated twice.
- RC4 Downgrade: Golden Ticket forged with RC4 encryption in an AES-only environment, detectable by encryption type mismatch.
- Cross-Domain Golden Ticket: Forged inter-realm TGT used to pivot between AD domains/forests.
- Persistence After Remediation: Golden Tickets surviving password resets because KRBTGT was only rotated once (both current and previous hashes are valid).
Output Format
Hunt ID: TH-GOLDEN-[DATE]-[SEQ]
Suspected Account: [Account using forged ticket]
Source IP: [Client IP]
Target Service: [SPN accessed]
Encryption Type: [RC4/AES128/AES256]
Anomaly: [No prior TGT/RC4 in AES environment/Extended lifetime]
KRBTGT Last Reset: [Date]
Risk Level: [Critical]Source materials
References and resources
Everything below is rendered for inspection. Script files are read-only and never run.
References 1
api-reference.md1.6 KB
API Reference: Detecting Golden Ticket Attacks in Kerberos Logs
Key Windows Event IDs
| Event ID | Description | Golden Ticket Signal |
|---|---|---|
| 4768 | TGT Requested (AS-REQ) | RC4 encryption, anomalous domain |
| 4769 | TGS Requested (TGS-REQ) | No prior 4768, forged TGT |
| 4771 | Kerberos Pre-Auth Failed | Non-existent account (0x6) |
Kerberos Encryption Types
| Code | Algorithm | Suspicion |
|---|---|---|
| 0x11 | AES128-CTS | Normal (modern) |
| 0x12 | AES256-CTS | Normal (preferred) |
| 0x17 | RC4-HMAC | Suspicious (Mimikatz default) |
| 0x18 | RC4-HMAC-EXP | Suspicious |
python-evtx Usage
import Evtx.Evtx as evtx
with evtx.Evtx("Security.evtx") as log:
for record in log.records():
xml = record.xml()
# Parse Events 4768, 4769, 4771
# Check TicketEncryptionType, TargetUserNameSplunk SPL Detection
index=wineventlog EventCode=4769
| join type=left TargetUserName [
search index=wineventlog EventCode=4768
| rename TargetUserName as tgt_user
]
| where isnull(tgt_user)
| table _time TargetUserName ServiceName IpAddress ComputerKQL (Microsoft Sentinel)
SecurityEvent
| where EventID == 4768
| where TicketEncryptionType in ("0x17", "0x18")
| where TargetUserName !endswith "$"
| project TimeGenerated, TargetUserName, IpAddress, TicketEncryptionTypeMimikatz Golden Ticket Command
kerberos::golden /user:admin /domain:corp.local /sid:S-1-5-21-... /krbtgt:hash /pttCLI Usage
python agent.py --security-log Security.evtx --domain corp.local
python agent.py --generate-sigmaScripts 1
agent.py6.1 KB
Display-only source. This catalog never executes bundled scripts.
#!/usr/bin/env python3
"""Golden Ticket attack detection agent for Kerberos log analysis.
Parses Windows Security Event IDs 4768, 4769, 4771 to detect forged TGTs
with anomalous encryption types, impossible lifetimes, and non-existent accounts.
"""
import argparse
import json
import re
from datetime import datetime
try:
import Evtx.Evtx as evtx
except ImportError:
evtx = None
ENCRYPTION_TYPES = {
"0x1": "DES-CBC-CRC", "0x3": "DES-CBC-MD5",
"0x11": "AES128-CTS", "0x12": "AES256-CTS",
"0x17": "RC4-HMAC", "0x18": "RC4-HMAC-EXP",
}
GOLDEN_TICKET_INDICATORS = {
"rc4_encryption": {"desc": "RC4 encryption used (0x17) instead of AES",
"severity": "HIGH", "mitre": "T1558.001"},
"impossible_lifetime": {"desc": "TGT lifetime exceeds policy maximum",
"severity": "CRITICAL", "mitre": "T1558.001"},
"non_existent_account": {"desc": "TGS request for non-existent account",
"severity": "CRITICAL", "mitre": "T1558.001"},
"no_tgt_request": {"desc": "TGS (4769) without prior TGT (4768)",
"severity": "HIGH", "mitre": "T1558.001"},
"domain_field_mismatch": {"desc": "Domain field differs from environment",
"severity": "HIGH", "mitre": "T1558.001"},
}
MAX_TGT_LIFETIME_HOURS = 10
EXPECTED_DOMAIN = ""
def parse_kerberos_events(filepath):
if evtx is None:
return {"error": "python-evtx not installed: pip install python-evtx"}
tgt_requests = {}
tgs_requests = []
findings = []
with evtx.Evtx(filepath) as log:
for record in log.records():
xml = record.xml()
event_id_match = re.search(r'<EventID[^>]*>(\d+)</EventID>', xml)
if not event_id_match:
continue
event_id = int(event_id_match.group(1))
time_match = re.search(r'SystemTime="([^"]+)"', xml)
timestamp = time_match.group(1) if time_match else ""
if event_id == 4768:
user = re.search(r'<Data Name="TargetUserName">([^<]+)', xml)
domain = re.search(r'<Data Name="TargetDomainName">([^<]+)', xml)
ticket_enc = re.search(r'<Data Name="TicketEncryptionType">([^<]+)', xml)
client_addr = re.search(r'<Data Name="IpAddress">([^<]+)', xml)
status = re.search(r'<Data Name="Status">([^<]+)', xml)
username = user.group(1) if user else ""
enc_type = ticket_enc.group(1) if ticket_enc else ""
if username and not username.endswith("$"):
tgt_requests[username.lower()] = timestamp
if enc_type.lower() in ("0x17", "0x18"):
findings.append({
"event_id": 4768, "timestamp": timestamp,
"user": username,
"encryption_type": ENCRYPTION_TYPES.get(enc_type.lower(), enc_type),
"indicator": "rc4_encryption",
**GOLDEN_TICKET_INDICATORS["rc4_encryption"],
})
elif event_id == 4769:
user = re.search(r'<Data Name="TargetUserName">([^<]+)', xml)
service = re.search(r'<Data Name="ServiceName">([^<]+)', xml)
ticket_enc = re.search(r'<Data Name="TicketEncryptionType">([^<]+)', xml)
client_addr = re.search(r'<Data Name="IpAddress">([^<]+)', xml)
username = user.group(1) if user else ""
base_user = username.split("@")[0].lower() if "@" in username else username.lower()
if base_user and base_user not in tgt_requests and not base_user.endswith("$"):
findings.append({
"event_id": 4769, "timestamp": timestamp,
"user": username,
"service": service.group(1) if service else "",
"indicator": "no_tgt_request",
**GOLDEN_TICKET_INDICATORS["no_tgt_request"],
})
elif event_id == 4771:
user = re.search(r'<Data Name="TargetUserName">([^<]+)', xml)
failure = re.search(r'<Data Name="Status">([^<]+)', xml)
status_code = failure.group(1) if failure else ""
if status_code == "0x6":
findings.append({
"event_id": 4771, "timestamp": timestamp,
"user": user.group(1) if user else "",
"status": "KDC_ERR_C_PRINCIPAL_UNKNOWN",
"indicator": "non_existent_account",
**GOLDEN_TICKET_INDICATORS["non_existent_account"],
})
return {"tgt_requests": len(tgt_requests), "findings": findings}
def generate_sigma_rule():
return {
"title": "Golden Ticket - TGS Without Prior TGT",
"status": "stable",
"logsource": {"product": "windows", "service": "security"},
"detection": {
"tgs": {"EventID": 4769},
"tgt": {"EventID": 4768},
"condition": "tgs and not tgt",
},
"level": "high",
"tags": ["attack.credential_access", "attack.t1558.001"],
}
def main():
parser = argparse.ArgumentParser(description="Golden Ticket Attack Detector")
parser.add_argument("--security-log", help="Windows Security EVTX file")
parser.add_argument("--domain", default="", help="Expected AD domain name")
parser.add_argument("--generate-sigma", action="store_true")
args = parser.parse_args()
global EXPECTED_DOMAIN
EXPECTED_DOMAIN = args.domain
results = {"timestamp": datetime.utcnow().isoformat() + "Z"}
if args.security_log:
parsed = parse_kerberos_events(args.security_log)
if isinstance(parsed, dict) and "error" in parsed:
results["error"] = parsed["error"]
else:
results.update(parsed)
results["total_findings"] = len(parsed.get("findings", []))
if args.generate_sigma:
results["sigma_rule"] = generate_sigma_rule()
print(json.dumps(results, indent=2))
if __name__ == "__main__":
main()
Keep exploring