Detecting Golden Ticket Attacks in Kerberos Logs

When to Use

• When KRBTGT account hash may have been compromised via DCSync or NTDS.dit extraction
• When hunting for forged Kerberos tickets used for persistent domain access
• After incident response reveals credential theft at the domain level
• When investigating impossible logon patterns (users logging in from multiple locations simultaneously)
• During post-breach assessment to determine if Golden Tickets are in use

Prerequisites

• Windows Security Event IDs 4768, 4769, 4771 on domain controllers
• Kerberos policy configuration knowledge (max ticket lifetime, encryption types)
• Domain controller audit policy enabling Kerberos Service Ticket Operations
• SIEM with ability to correlate Kerberos events across multiple DCs

Workflow