detecting-golden-ticket-attacks-in-kerberos-logs

# Detecting Golden Ticket Attacks in Kerberos Logs ## When to Use - When KRBTGT account hash may have been compromised via DCSync or NTDS.dit extraction - When hunting for forged Kerberos tickets used for persistent domain access - After incident response reveals credential theft at the domain level - When investigating impossible logon patterns (users logging in from multiple locations simultaneously) - During post-breach assessment to determine if Golden Tickets are in use ## Prerequisites - Windows Security Event IDs 4768, 4769, 4771 on domain controllers - Kerberos policy configuration knowledge (max ticket lifetime, encryption types) - Domain controller audit policy enabling Kerberos Service Ticket Operations - SIEM with ability to correlate Kerberos events across multiple DCs ## Workflow 1. **Monitor TGT Requests (Event 4768)**: Track Kerberos authentication service requests. Golden Tickets bypass the AS-REQ/AS-REP exchange entirely, so the absence of 4768 before 4769 is suspicious. 2. **Detect Encryption Type Anomalies**: Golden Tickets often use RC4 (0x17) encryption. If your domain enforces AES (0x12), any RC4 TGT is a red flag. Monitor TicketEncryptionType in Event 4769. 3. **Check Ticket Lifetime Anomalies**: Default Kerberos TGT lifetime is 10 hours with 7-day renewal. Golden Tickets can be forged with 10-year lifetimes. Detect tickets with durations exceeding policy. 4. **Hunt for Non-Existent SIDs**: Golden Tickets can include arbitrary SIDs (including non...