This note documents detection patterns related to Golden Ticket within Active Directory environments.
Direct Indicators
| Log | Event ID | Meaning | Forensic Value | Notes |
|---|---|---|---|---|
| Security | 4768 | Kerberos TGT request | Critical | Golden Ticket allows attackers to create forged TGTs. Look for abnormal TGT requests with unusual encryption types or lifetime values. |
| Security | 4769 | Kerberos service ticket request | High | Requests for multiple services shortly after forged TGT usage. |
| Security | 4624 | Successful logon | High | LogonType 3 or 9 may appear from unusual hosts using forged Kerberos tickets. |
| Security | 4672 | Special privileges assigned | Critical | Forged tickets often grant Domain Admin privileges leading to privileged sessions. |
| Security | 4770 | Kerberos service ticket renewed | Medium | Unusual ticket renewal behavior may appear with forged tickets. |
| Sysmon | 1 | Process creation | Medium | Execution of tools such as Mimikatz or Rubeus to forge Kerberos tickets. |
| Sysmon | 3 | Network connection | Medium | Connections from attacker workstation to domain controllers or target services. |
Indirect Indicators
| Indicator | What To Look For | Forensic Value | Notes |
|---|---|---|---|
| Kerberos ticket lifetime anomalies | Tickets with unusually long lifetime values | Critical | Golden Tickets often have extremely long expiration times. |
| Authentication from non-domain joined systems | Kerberos authentication originating from unusual hosts | High | Attackers may use compromised workstation or external system. |
| Use of nonexistent user accounts | Authentication using accounts not present in AD | Critical | Golden Ticket can create arbitrary usernames. |
| Administrative activity after authentication | Group membership changes or ACL modifications | Critical | Indicates privilege abuse after forged authentication. |
| Unusual service access patterns | Access to multiple domain services immediately after authentication | High | Suggests attacker exploring environment after obtaining TGT. |
Common Tools
| Tool | Usage |
|---|---|
| Mimikatz | Creates forged Kerberos Golden Tickets using krbtgt hash. |
| Rubeus | Generates and injects forged Kerberos tickets. |
| Impacket ticketer.py | Creates forged Kerberos tickets for authentication. |
| Kekeo | Kerberos manipulation toolkit. |
| Invoke-Mimikatz | PowerShell wrapper for Mimikatz. |
Relevant Artifacts
- Domain controller Security logs (4768, 4769, 4624, 4672)
- Kerberos operational logs
- Sysmon logs (1, 3)
- LSASS memory artifacts
- EDR telemetry identifying credential dumping tools
- Network authentication telemetry
- Prefetch artifacts showing execution of Mimikatz or Rubeus
- Kerberos ticket cache analysis
MITRE ATT&CK References
- T1558 Steal or Forge Kerberos Tickets
- T1558.001 Golden Ticket
- T1078 Valid Accounts
Decision Tree
- Is the suspicious event present?
- Look for abnormal Kerberos TGT requests (4768).
- What host generated the event?
- Identify workstation authenticating with forged ticket.
- Is the account expected to perform this action?
- Investigate unusual or nonexistent account identities.
- Pivot:
- Source host → inspect execution of Mimikatz or Rubeus.
- Account → review privileges assigned during session.
- Network → analyze service ticket requests following authentication.
- Confirm exploitation
- Determine whether forged Kerberos ticket was used for domain access.
Example Detection Templates
KQL
SecurityEvent
| where EventID == 4768
| summarize count() by TargetUserName, IpAddress, bin(TimeGenerated, 5m)
SecurityEvent
| where EventID == 4672
| project TimeGenerated, SubjectUserName, IpAddress
EQL
any where event.code == "4768"
Sigma
title: Suspicious Kerberos TGT Request
id: golden-ticket-detection
status: experimental
description: Detects abnormal Kerberos TGT requests potentially indicating Golden Ticket abuse
logsource:
product: windows
service: security
detection:
selection:
EventID: 4768
condition: selection
fields:
- TargetUserName
- IpAddress
falsepositives:
- Legitimate Kerberos authentication activity
level: medium
tags:
- attack.credential_access
- attack.t1558.001
Splunk
index=main earliest=1690451977 latest=1690452262 source="WinEventLog:Security" user!=*$ EventCode IN (4768,4769,4770) | rex field=user "(?<username>[^@]+)" | rex field=src_ip "(\:\:ffff\:)?(?<src_ip_4>[0-9\.]+)" | transaction username, src_ip_4 maxspan=10h keepevicted=true startswith=(EventCode=4768) | where closed_txn=0 | search NOT user="*$@*" | table _time, ComputerName, username, src_ip_4, service_name, category
Mitigation & Hardening
| Control Area | Mitigation | Effectiveness | Notes |
|---|---|---|---|
| KRBTGT password rotation | Reset KRBTGT password twice after compromise | Critical | Invalidates existing forged tickets. |
| Credential protection | Protect domain controller credentials and LSASS memory | High | Prevents krbtgt hash extraction. |
| Monitoring | Alert on unusual Kerberos ticket lifetimes | High | Helps detect forged tickets. |
| Tiered administration | Separate privileged accounts from workstation usage | High | Limits attack paths. |
| EDR protection | Detect credential dumping tools | High | Stops krbtgt hash theft. |