creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-10 21:24:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
757f1c8eae4e288d20f7dfde7f7a42a4d30cffc7
Anthropic-Cybersecurity-Skills/skills/detecting-pass-the-ticket-attacks/references/api-reference.md
T
mukul975 757f1c8eae Add 5 new cybersecurity skills with full implementations 
- implementing-vulnerability-management-with-greenbone: python-gvm GMP API, scan task creation, XML report parsing
- detecting-email-account-compromise: Microsoft Graph inbox rules, impossible travel detection, OAuth grant analysis
- performing-threat-intelligence-sharing-with-misp: PyMISP event creation, attribute management, sharing validation
- analyzing-cobaltstrike-malleable-c2-profiles: dissect.cobaltstrike C2Profile parsing, Suricata rule generation
- hunting-for-registry-run-key-persistence: Sysmon Event 13 analysis, T1547.001 detection, Sigma rule generation
2026-03-11 00:41:59 +01:00

2.6 KiB
Raw Blame History

Pass-the-Ticket Detection API Reference

Windows Security Event IDs

Event ID 4768 - TGT Requested

Key Fields:
  TargetUserName      - Account requesting TGT
  TargetDomainName    - Domain of account
  IpAddress           - Source IP of request
  TicketEncryptionType - 0x12 (AES256), 0x17 (RC4-HMAC)
  PreAuthType         - 15 (PA-ENC-TIMESTAMP)

Event ID 4769 - TGS Requested

Key Fields:
  TargetUserName      - Account using the ticket
  ServiceName         - SPN of requested service
  IpAddress           - Source IP
  TicketEncryptionType - 0x17 indicates RC4 downgrade
  TicketOptions       - Kerberos ticket flags

Event ID 4771 - Kerberos Pre-Authentication Failed

Key Fields:
  TargetUserName      - Account that failed
  IpAddress           - Source of failure
  Status              - 0x18 (wrong password), 0x12 (expired)

Splunk SPL Queries

RC4 Encryption Downgrade Detection

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
  TicketEncryptionType=0x17
| stats count by TargetUserName, IpAddress, ServiceName
| where count > 3

Cross-Host Ticket Reuse

index=wineventlog EventCode=4769
| stats dc(IpAddress) as ip_count, values(IpAddress) as ips
  by TargetUserName
| where ip_count > 1
| sort -ip_count

TGS Volume Anomaly

index=wineventlog EventCode=4769
| bin _time span=1h
| stats count by TargetUserName, _time
| eventstats avg(count) as avg_count, stdev(count) as sd by TargetUserName
| where count > avg_count + (3 * sd)

Elastic / KQL Queries

RC4 Downgrade in Elastic

event.code: "4769" AND winlog.event_data.TicketEncryptionType: "0x17"

Cross-Host Reuse in Elastic

POST security-*/_search
{
  "size": 0,
  "query": { "term": { "event.code": "4769" } },
  "aggs": {
    "by_user": {
      "terms": { "field": "winlog.event_data.TargetUserName" },
      "aggs": {
        "unique_ips": { "cardinality": { "field": "source.ip" } }
      }
    }
  }
}

MITRE ATT&CK Mapping

Technique ID Detection
Use Alternate Authentication Material: Pass the Ticket T1550.003 RC4 downgrade, cross-host reuse
Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 High TGS volume for SPNs
Brute Force: Password Spraying T1110.003 Pre-auth failure spikes

CLI Usage

# Parse exported event log XML and detect PtT indicators
python agent.py --evtx-xml security_events.xml --output report.json

# Show Splunk detection queries
python agent.py --show-splunk

# Custom thresholds
python agent.py --evtx-xml events.xml --tgs-threshold 30 --preauth-threshold 5
Reference in New Issue View Git Blame Copy Permalink