detecting-pass-the-ticket-attacks
$
npx mdskill add mukul975/Anthropic-Cybersecurity-Skills/detecting-pass-the-ticket-attacksDetect Kerberos PtT attacks by analyzing Windows Event IDs in Splunk and Elastic.
- Correlates Event IDs 4768, 4769, and 4771 to identify anomalous ticket reuse.
- Integrates with Splunk and Elastic SIEM for real-time threat detection.
- Flags suspicious patterns like RC4 downgrades or high request volumes.
- Generates actionable alerts for SOC analysts investigating credential theft.
SKILL.md
.github/skills/detecting-pass-the-ticket-attacksView on GitHub ↗
--- name: detecting-pass-the-ticket-attacks description: Detect Kerberos Pass-the-Ticket (PtT) attacks by analyzing Windows Event IDs 4768, 4769, and 4771 for anomalous ticket usage patterns in Splunk and Elastic SIEM domain: cybersecurity subdomain: threat-detection tags: - kerberos - pass-the-ticket - active-directory - splunk - elastic - credential-theft - windows-security version: "1.0" author: mahipal license: Apache-2.0 --- # Detecting Pass-the-Ticket Attacks ## Overview Pass-the-Ticket (PtT) is a credential theft technique (MITRE ATT&CK T1550.003) where adversaries steal Kerberos tickets (TGT or TGS) from one system and replay them on another to authenticate without knowing the user's password. This skill teaches detection of PtT attacks by correlating Windows Security Event IDs 4768 (TGT request), 4769 (TGS request), and 4771 (pre-authentication failure) for anomalies such as ticket reuse across different hosts, RC4 encryption downgrades, and unusual service ticket request volumes. ## When to Use - When investigating security incidents that require detecting pass the ticket attacks - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Windows Domain Controller with advanced audit policy enabled (Audit Kerberos Authentication Service, Audit Kerberos Service Ticket Operations) - Splunk or Elastic SIEM ingesting Windows Security event logs - Sysmon deployed on endpoints for supplementary process telemetry - Python 3.8+ with `requests` library ## Steps 1. Enable Kerberos audit logging on Domain Controllers via Group Policy 2. Forward Event IDs 4768, 4769, and 4771 to SIEM platform 3. Deploy detection rules for RC4 encryption downgrade (TicketEncryptionType 0x17) 4. Create correlation rule for ticket reuse across multiple source IPs 5. Build baseline of normal TGS request volume per user/host 6. Alert on standard deviation anomalies in ticket request patterns 7. Investigate flagged events with enrichment from Active Directory ## Expected Output JSON report containing detected PtT indicators including anomalous ticket requests, RC4 downgrades, cross-host ticket reuse events, and risk-scored users with MITRE ATT&CK technique mapping.
More from mukul975/Anthropic-Cybersecurity-Skills
- acquiring-disk-image-with-dd-and-dcflddCreate forensically sound bit-for-bit disk images using dd and dcfldd while preserving evidence integrity through hash verification.
- analyzing-active-directory-acl-abuseDetect dangerous ACL misconfigurations in Active Directory using ldap3 to identify GenericAll, WriteDACL, and WriteOwner abuse paths
- analyzing-android-malware-with-apktoolPerform static analysis of Android APK malware samples using apktool for decompilation, jadx for Java source recovery, and androguard for permission analysis, manifest inspection, and suspicious API call detection.
- analyzing-api-gateway-access-logs>
- analyzing-apt-group-with-mitre-navigatorAnalyze advanced persistent threat (APT) group techniques using MITRE ATT&CK Navigator to create layered heatmaps of adversary TTPs for detection gap analysis and threat-informed defense.
- analyzing-azure-activity-logs-for-threats>
- analyzing-bootkit-and-rootkit-samples>
- analyzing-browser-forensics-with-hindsightAnalyze Chromium-based browser artifacts using Hindsight to extract browsing history, downloads, cookies, cached content, autofill data, saved passwords, and browser extensions from Chrome, Edge, Brave, and Opera for forensic investigation.
- analyzing-campaign-attribution-evidenceCampaign attribution analysis involves systematically evaluating evidence to determine which threat actor or group is responsible for a cyber operation. This skill covers collecting and weighting attr
- analyzing-certificate-transparency-for-phishingMonitor Certificate Transparency logs using crt.sh and Certstream to detect phishing domains, lookalike certificates, and unauthorized certificate issuance targeting your organization.