Detects Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including encryption type mismatches, impossible lifetimes, non-existent accounts, and forged PAC signatures in DC event logs.
npx claudepluginhub killvxk/cybersecurity-skills-zhThis skill uses the workspace's default tool permissions.
- KRBTGT 账户哈希可能通过 DCSync 或 NTDS.dit 提取而遭到入侵时
Detects Golden Ticket attacks in Active Directory Kerberos logs by analyzing TGT anomalies like mismatched encryption types, impossible lifetimes, non-existent accounts, and forged PAC signatures. Useful for threat hunting in domain controller event logs.
Detects Golden Ticket attacks in Active Directory Kerberos logs by analyzing TGT anomalies like mismatched encryption types, impossible lifetimes, non-existent accounts, and forged PAC signatures. Includes Splunk queries.
Detects Kerberos golden ticket forgery by analyzing Windows Event ID 4769 in Splunk and Elastic SIEM for RC4 (0x17) downgrades, anomalous ticket lifecycles, and krbtgt account anomalies.
Share bugs, ideas, or general feedback.
index=wineventlog EventCode=4769
| where TicketEncryptionType="0x17"
| where ServiceName!="krbtgt"
| stats count by TargetUserName ServiceName IpAddress TicketEncryptionType Computer
| where count > 5
| sort -count
index=wineventlog (EventCode=4768 OR EventCode=4769)
| stats earliest(_time) as first_tgt by TargetUserName IpAddress EventCode
| eventstats earliest(eval(if(EventCode=4768, first_tgt, null()))) as tgt_time by TargetUserName IpAddress
| where EventCode=4769 AND (isnull(tgt_time) OR first_tgt < tgt_time)
| table TargetUserName IpAddress first_tgt tgt_time
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName != "krbtgt"
| summarize Count=count() by TargetUserName, IpAddress, ServiceName
| where Count > 5
Hunt ID: TH-GOLDEN-[DATE]-[SEQ]
Suspected Account: [使用伪造票据的账户]
Source IP: [客户端 IP]
Target Service: [访问的 SPN]
Encryption Type: [RC4/AES128/AES256]
Anomaly: [无先前 TGT/AES 环境中使用 RC4/超出生命周期]
KRBTGT Last Reset: [日期]
Risk Level: [Critical]