detecting-golden-ticket-forgery
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-golden-ticket-forgeryDetect forged Kerberos tickets via Event ID 4769 analysis.
- Identify RC4 downgrades and abnormal ticket lifetimes.
- Integrates with Splunk and Elastic SIEM platforms.
- Correlates missing TGT requests with suspicious TGS activity.
- Surfaces alerts for krbtgt password age anomalies.
SKILL.md
.github/skills/detecting-golden-ticket-forgeryView on GitHub ↗
--- name: detecting-golden-ticket-forgery description: Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM domain: cybersecurity subdomain: threat-detection tags: - golden-ticket - kerberos - active-directory - mimikatz - splunk - credential-theft - windows-security version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting Golden Ticket Forgery ## Overview A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtgt account NTLM hash, granting unrestricted access to any service in the Active Directory domain. This skill detects Golden Ticket usage by analyzing Event ID 4769 for RC4 encryption type (0x17) in environments enforcing AES, identifying tickets with abnormal lifetimes exceeding domain policy, correlating TGS requests with missing corresponding TGT requests (Event ID 4768), and detecting krbtgt password age anomalies. ## When to Use - When investigating security incidents that require detecting golden ticket forgery - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Windows Domain Controller with Kerberos audit logging enabled - Splunk or Elastic SIEM ingesting Windows Security event logs - Python 3.8+ for offline event log analysis - Knowledge of domain Kerberos encryption policy (AES vs RC4) ## Steps 1. Audit domain Kerberos encryption policy to establish AES-only baseline 2. Forward Event IDs 4768 and 4769 to SIEM platform 3. Detect RC4 (0x17) encryption in TGS requests where AES is enforced 4. Identify TGS requests without corresponding TGT requests (forged ticket indicator) 5. Alert on ticket lifetimes exceeding MaxTicketAge domain policy 6. Monitor krbtgt account password age and last reset date 7. Correlate findings with host/user context for risk scoring ## Expected Output JSON report with Golden Ticket indicators including RC4 downgrades, orphaned TGS requests, abnormal ticket lifetimes, and risk-scored alerts with MITRE ATT&CK technique mapping.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.