Skip to content

DET0144 Detect Forged Kerberos Golden Tickets (T1558.001)

Item Value
ID DET0144
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1558.001 (Golden Ticket)

Analytics

Windows

AN0405

Detects forged Kerberos Golden Tickets by correlating anomalous Kerberos ticket lifetimes, unexpected encryption types (e.g., RC4 in modern domains), malformed fields in logon/logoff events, and TGS requests without preceding TGT requests. Also monitors for abnormal patterns of access associated with elevated privileges across multiple systems.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672, 4634
Active Directory Credential Request (DC0084) WinEventLog:Security EventCode=4769
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
TicketLifetimeThreshold Kerberos TGT ticket lifetime exceeding default domain duration; tunable to environment-specific policies.
AllowedEncryptionTypes Valid encryption algorithms for Kerberos tickets; anomalies (e.g., RC4) may indicate forgery.
PrivilegedAccountPatterns Baseline of privileged accounts expected to perform Kerberos operations; deviations indicate suspicious activity.
ProcessAllowlist Expected processes interacting with lsass.exe; deviations may indicate credential dumping.