detecting-golden-ticket-attacks
Installation
SKILL.md
Instructions
- Install dependencies:
pip install python-evtx lxml - Collect Windows Security EVTX logs from domain controllers.
- Parse Event IDs:
- 4768: Kerberos TGT requests (authentication service requests)
- 4624: Logon events (look for LogonType 3 with NTLM or Kerberos)
- 4672: Special privileges assigned (admin logon indicators)
- Detect golden ticket indicators:
- TGT with lifetime >10 hours (default max is 10h)
- Event 4672 for accounts not in Domain Admins
- Logon events with no corresponding 4768 TGT request
- Domain SID inconsistencies in ticket data
- Generate detection report with timeline reconstruction.
python scripts/agent.py --evtx-file /path/to/Security.evtx --output golden_ticket_report.json