Kerberos Golden Ticket Detection FAQs

Question 1

Which Windows Event IDs are required for this skill to work?

Accepted Answer

Effective detection requires Windows Security Event IDs 4768 (Kerberos TGT Request), 4769 (Kerberos Service Ticket Request), and 4771 (Kerberos Authentication Failure) collected from domain controllers.

Question 2

Is this skill compatible with major SIEM platforms?

Accepted Answer

Yes, it includes pre-configured detection queries specifically written for Splunk (SPL) and Microsoft Sentinel/Azure Monitor (KQL).

Question 3

Can this skill detect attacks if the KRBTGT password has been reset?

Accepted Answer

Yes. Since Golden Tickets remain valid until the KRBTGT hash used to sign them is invalidated (which requires two password resets), this skill helps monitor for persistence from previous compromise periods.

Question 4

How does this skill help with MITRE ATT&CK compliance?

Accepted Answer

It directly maps to technique T1558.001 (Golden Ticket), providing actionable detection workflows to mitigate one of the most critical credential abuse tactics used by advanced persistent threats.

Question 5

What are the primary indicators of a Golden Ticket attack?

Accepted Answer

Key indicators include the use of RC4 encryption (0x17) in AES-only environments, ticket lifetimes exceeding the standard 10-hour window, and the presence of TGS requests without a corresponding prior TGT request.

Kerberos Golden Ticket Detection

Kerberos Golden Ticket Detection

Key Features

Use Cases

Key Features

Use Cases