Detects Kerberos Golden Ticket attacks in Windows Security EVTX logs by parsing events 4624, 4672, 4768 for anomalous TGT lifetimes, domain SID mismatches, and unauthorized admin privileges on non-admin accounts.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
1. 安装依赖:`pip install python-evtx lxml`
Detects Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including encryption type mismatches, impossible lifetimes, non-existent accounts, and forged PAC signatures in DC event logs.
Detects Golden Ticket attacks in Active Directory Kerberos logs by analyzing TGT anomalies like mismatched encryption types, impossible lifetimes, non-existent accounts, and forged PAC signatures. Useful for threat hunting in domain controller event logs.
Detects Golden Ticket attacks in Active Directory Kerberos logs by analyzing TGT anomalies like mismatched encryption types, impossible lifetimes, non-existent accounts, and forged PAC signatures. Includes Splunk queries.
Share bugs, ideas, or general feedback.
pip install python-evtx lxmlpython scripts/agent.py --evtx-file /path/to/Security.evtx --output golden_ticket_report.json
标准用户账户触发事件 4672 并获得 SeDebugPrivilege、SeTcbPrivilege 或 SeBackupPrivilege,表明可能存在黄金票据使用。
使用 Kerberos 认证的登录事件(4624)但域控制器上没有匹配的 4768(TGT 请求),说明可能是伪造的 TGT。