Detect Golden Ticket Attacks

v20260317

detecting-golden-ticket-attacks

Analyzes Windows Security EVTX logs to detect Kerberos golden ticket assaults by correlating event IDs 4768, 4624, and 4672, flagging long-lived TGTs, privilege escalations without group changes, SID inconsistencies, and outputting a timeline-based report.

Kerberos Security Cybersecurity LogAnalysis EVTX AttackDetection IncidentResponse

Get Skill

335 downloads

Overview

Instructions

Install dependencies: pip install python-evtx lxml
Collect Windows Security EVTX logs from domain controllers.
Parse Event IDs:
- 4768: Kerberos TGT requests (authentication service requests)
- 4624: Logon events (look for LogonType 3 with NTLM or Kerberos)
- 4672: Special privileges assigned (admin logon indicators)
Detect golden ticket indicators:
- TGT with lifetime >10 hours (default max is 10h)
- Event 4672 for accounts not in Domain Admins
- Logon events with no corresponding 4768 TGT request
- Domain SID inconsistencies in ticket data
Generate detection report with timeline reconstruction.

python scripts/agent.py --evtx-file /path/to/Security.evtx --output golden_ticket_report.json

Examples

Detect Anomalous Privilege Assignment

Event 4672 for a standard user account receiving SeDebugPrivilege, SeTcbPrivilege, or SeBackupPrivilege indicates potential golden ticket usage.

TGT Without Corresponding AS-REQ

A logon event (4624) with Kerberos authentication but no matching 4768 (TGT request) on the DC suggests a forged TGT.

Info

Category Development

Name detecting-golden-ticket-attacks

Version v20260317

Size 8.42KB

Source mukul975/Anthropic-Cybersecurity-Skills

Updated At 2026-03-18