Files
Anthropic-Cybersecurity-Skills/skills/detecting-golden-ticket-attacks.bak/references/api-reference.md
T
mukul975 c47eed6a64 Production hardening: security fixes, code quality, 724 skills complete
- Fix 25 shell=True subprocess calls with list-based commands
- Fix 49 verify=False in defensive skills (env-var override)
- Add timeout to 231 HTTP/subprocess/socket calls
- Fix 6 SQL injection patterns with whitelist validation
- Replace 8 __import__() with standard imports
- Remove 701 unused imports across 442 files
- Add authorized-testing disclaimers to all offensive skills
- Complete 11 incomplete skill directories
- Expand 10 stub SKILL.md files with full content
- Fix 2 YAML parse errors in frontmatter
- Fix 5 pre-existing syntax errors
- Convert 22 hardcoded paths/ports to environment variables
- Back up 21 redundant skill pairs to .bak
- Fix 2 global declaration errors
- 724/724 skills with full folder anatomy (SKILL.md + agent.py + api-reference.md + LICENSE)
- 0 compile errors across all 724 agent.py files
2026-03-19 13:26:49 +01:00

1.5 KiB

API Reference: Detecting Golden Ticket Attacks

python-evtx Library

from Evtx.Evtx import FileHeader
with open("Security.evtx", "rb") as f:
    fh = FileHeader(f)
    for record in fh.records():
        xml_string = record.xml()

Key Event IDs

Event 4768 - Kerberos TGT Request (AS-REQ)

<Data Name="TargetUserName">admin_user</Data>
<Data Name="TargetDomainName">CORP.LOCAL</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.50</Data>

Event 4624 - Logon Event

<Data Name="TargetUserName">user</Data>
<Data Name="LogonType">3</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="IpAddress">10.0.0.50</Data>
<Data Name="WorkstationName">WKS01</Data>

Event 4672 - Special Privileges Assigned

<Data Name="SubjectUserName">user</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="PrivilegeList">SeDebugPrivilege SeTcbPrivilege</Data>

Golden Ticket Detection Indicators

Indicator Evidence
Orphan logon 4624 Kerberos logon with no 4768 TGT request
Privilege anomaly 4672 admin privs for non-admin account
Abnormal TGT lifetime TGT valid >10 hours (default max)
RC4 TGT majority >50% of TGTs using 0x17 encryption
Domain SID mismatch TGT domain SID differs from DC

MITRE ATT&CK

  • T1558.001 - Golden Ticket
  • T1550 - Use Alternate Authentication Material