detecting-golden-ticket-forgery
Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
Best use case
detecting-golden-ticket-forgery is best used when you need a repeatable AI agent workflow instead of a one-off prompt.
Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
Teams using detecting-golden-ticket-forgery should expect a more consistent output, faster repeated execution, less prompt rewriting.
When to use this skill
- You want a reusable workflow that can be run more than once with consistent structure.
When not to use this skill
- You only need a quick one-off answer and do not need a reusable workflow.
- You cannot install or maintain the underlying files, dependencies, or repository context.
Installation
Claude Code / Cursor / Codex
Manual Installation
- Download SKILL.md from GitHub
- Place it in
.claude/skills/detecting-golden-ticket-forgery/SKILL.mdinside your project - Restart your AI agent — it will auto-discover the skill
How detecting-golden-ticket-forgery Compares
| Feature / Agent | detecting-golden-ticket-forgery | Standard Approach |
|---|---|---|
| Platform Support | Not specified | Limited / Varies |
| Context Awareness | High | Baseline |
| Installation Complexity | Unknown | N/A |
Frequently Asked Questions
What does this skill do?
Detect Kerberos Golden Ticket forgery by analyzing Windows Event ID 4769 for RC4 encryption downgrades (0x17), abnormal ticket lifetimes, and krbtgt account anomalies in Splunk and Elastic SIEM
Where can I find the source code?
You can find the source code on GitHub using the link provided at the top of the page.
SKILL.md Source
# Detecting Golden Ticket Forgery ## Overview A Golden Ticket attack (MITRE ATT&CK T1558.001) involves forging a Kerberos Ticket Granting Ticket (TGT) using the krbtgt account NTLM hash, granting unrestricted access to any service in the Active Directory domain. This skill detects Golden Ticket usage by analyzing Event ID 4769 for RC4 encryption type (0x17) in environments enforcing AES, identifying tickets with abnormal lifetimes exceeding domain policy, correlating TGS requests with missing corresponding TGT requests (Event ID 4768), and detecting krbtgt password age anomalies. ## When to Use - When investigating security incidents that require detecting golden ticket forgery - When building detection rules or threat hunting queries for this domain - When SOC analysts need structured procedures for this analysis type - When validating security monitoring coverage for related attack techniques ## Prerequisites - Windows Domain Controller with Kerberos audit logging enabled - Splunk or Elastic SIEM ingesting Windows Security event logs - Python 3.8+ for offline event log analysis - Knowledge of domain Kerberos encryption policy (AES vs RC4) ## Steps 1. Audit domain Kerberos encryption policy to establish AES-only baseline 2. Forward Event IDs 4768 and 4769 to SIEM platform 3. Detect RC4 (0x17) encryption in TGS requests where AES is enforced 4. Identify TGS requests without corresponding TGT requests (forged ticket indicator) 5. Alert on ticket lifetimes exceeding MaxTicketAge domain policy 6. Monitor krbtgt account password age and last reset date 7. Correlate findings with host/user context for risk scoring ## Expected Output JSON report with Golden Ticket indicators including RC4 downgrades, orphaned TGS requests, abnormal ticket lifetimes, and risk-scored alerts with MITRE ATT&CK technique mapping.