Skill

detecting-golden-ticket-forgery

From asi

Detects Kerberos Golden Ticket forgery via Windows Event ID 4769 analysis in Splunk/Elastic SIEM for RC4 encryption downgrades, abnormal lifetimes, and krbtgt anomalies. For threat hunting and SOC detection rules.

Python

security

monitoring

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtgt account NTLM hash, granting unrestricted access to any service in the Active Directory domain. This skill detects Golden Ticket usage by analyzing Event ID 4769 for RC4 encryption type (0x17) in environments enforcing AES, identifying tickets with abnormal lifetimes exceedin...

SKILL.md

Similar Skills

detecting-golden-ticket-forgery

5.9k

Detects Kerberos Golden Ticket forgery in Windows Event ID 4769 via Splunk/Elastic SIEM, identifying RC4 downgrades, abnormal lifetimes, orphaned TGS, and krbtgt anomalies.

3 files

cybersecurity-skills

detecting-golden-ticket-attacks-in-kerberos-logs

Detects Golden Ticket attacks in Active Directory Kerberos logs by analyzing TGT anomalies like mismatched encryption types, impossible lifetimes, non-existent accounts, and forged PAC signatures. Useful for threat hunting in domain controller event logs.

asi

detecting-golden-ticket-forgery

Detects Kerberos golden ticket forgery by analyzing Windows Event ID 4769 in Splunk and Elastic SIEM for RC4 (0x17) downgrades, anomalous ticket lifecycles, and krbtgt account anomalies.

3 files

cybersecurity-skills-zh

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting Golden Ticket Forgery

Overview

When to Use

When investigating security incidents that require detecting golden ticket forgery

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Windows Domain Controller with Kerberos audit logging enabled

Splunk or Elastic SIEM ingesting Windows Security event logs

Python 3.8+ for offline event log analysis

Knowledge of domain Kerberos encryption policy (AES vs RC4)

Steps

Audit domain Kerberos encryption policy to establish AES-only baseline

Forward Event IDs 4768 and 4769 to SIEM platform

Detect RC4 (0x17) encryption in TGS requests where AES is enforced

Identify TGS requests without corresponding TGT requests (forged ticket indicator)

Alert on ticket lifetimes exceeding MaxTicketAge domain policy

Monitor krbtgt account password age and last reset date

Correlate findings with host/user context for risk scoring

Expected Output

JSON report with Golden Ticket indicators including RC4 downgrades, orphaned TGS requests, abnormal ticket lifetimes, and risk-scored alerts with MITRE ATT&CK technique mapping.