Skill

detecting-pass-the-ticket-attacks

From asi

Detects Kerberos Pass-the-Ticket (PtT) attacks in Splunk or Elastic SIEM by analyzing Windows Event IDs 4768, 4769, 4771 for anomalous ticket reuse, RC4 downgrades, and request volumes.

security

npx claudepluginhub plurigrid/asi --plugin asi

Tool Access

This skill uses the workspace's default tool permissions.

Preview

Pass-the-Ticket (PtT) is a credential theft technique (MITRE ATT&CK T1550.003) where adversaries steal Kerberos tickets (TGT or TGS) from one system and replay them on another to authenticate without knowing the user's password. This skill teaches detection of PtT attacks by correlating Windows Security Event IDs 4768 (TGT request), 4769 (TGS request), and 4771 (pre-authentication failure) for ...

SKILL.md

Similar Skills

detecting-pass-the-ticket-attacks

5.9k

Detects Kerberos Pass-the-Ticket attacks by analyzing Windows Event IDs 4768, 4769, 4771 in Splunk/Elastic SIEM for ticket reuse, RC4 downgrades, and volume anomalies. For threat hunting and SOC monitoring.

3 files

cybersecurity-skills

detecting-golden-ticket-forgery

Detects Kerberos Golden Ticket forgery via Windows Event ID 4769 analysis in Splunk/Elastic SIEM for RC4 encryption downgrades, abnormal lifetimes, and krbtgt anomalies. For threat hunting and SOC detection rules.

asi

detecting-pass-the-ticket-attacks

Detects Kerberos Pass-the-Ticket attacks in Splunk/Elastic SIEM by analyzing Windows event IDs 4768/4769/4771 for anomalies like cross-host ticket reuse, RC4 downgrades, and unusual request volumes.

3 files

cybersecurity-skills-zh

Stats

Parent Repo Stars16

Parent Repo Forks5

Last CommitApr 4, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Detecting Pass-the-Ticket Attacks

Overview

When to Use

When investigating security incidents that require detecting pass the ticket attacks

When building detection rules or threat hunting queries for this domain

When SOC analysts need structured procedures for this analysis type

When validating security monitoring coverage for related attack techniques

Prerequisites

Windows Domain Controller with advanced audit policy enabled (Audit Kerberos Authentication Service, Audit Kerberos Service Ticket Operations)

Splunk or Elastic SIEM ingesting Windows Security event logs

Sysmon deployed on endpoints for supplementary process telemetry

Python 3.8+ with requests library

Steps

Enable Kerberos audit logging on Domain Controllers via Group Policy

Forward Event IDs 4768, 4769, and 4771 to SIEM platform

Deploy detection rules for RC4 encryption downgrade (TicketEncryptionType 0x17)

Create correlation rule for ticket reuse across multiple source IPs

Build baseline of normal TGS request volume per user/host

Alert on standard deviation anomalies in ticket request patterns

Investigate flagged events with enrichment from Active Directory

Expected Output

JSON report containing detected PtT indicators including anomalous ticket requests, RC4 downgrades, cross-host ticket reuse events, and risk-scored users with MITRE ATT&CK technique mapping.