creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-13 22:54:53 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
ccce7d4e068efecc2f98c385c8e5c01d969fc9bc
Anthropic-Cybersecurity-Skills/skills/detecting-golden-ticket-attacks/references/api-reference.md
T
mukul975 27c6414ca5 Add folder anatomy (scripts/agent.py + references/api-reference.md) for 648 cybersecurity skills 
Complete skill folder anatomy across all cybersecurity skills:
- scripts/agent.py: 80-150 line Python agents using real libraries (impacket,
  boto3, azure-mgmt-*, kubernetes, pefile, yara, scapy, shodan, stix2, etc.)
- references/api-reference.md: real API documentation with method signatures
- LICENSE: MIT license for all skill folders
2026-03-10 21:02:12 +01:00

51 lines
1.5 KiB
Markdown
Raw Blame History

# API Reference: Detecting Golden Ticket Attacks
## python-evtx Library
```python
from Evtx.Evtx import FileHeader
with open("Security.evtx", "rb") as f:
fh = FileHeader(f)
for record in fh.records():
xml_string = record.xml()
```
## Key Event IDs
### Event 4768 - Kerberos TGT Request (AS-REQ)
```xml
<Data Name="TargetUserName">admin_user</Data>
<Data Name="TargetDomainName">CORP.LOCAL</Data>
<Data Name="TicketEncryptionType">0x12</Data>
<Data Name="PreAuthType">15</Data>
<Data Name="IpAddress">::ffff:10.0.0.50</Data>
```
### Event 4624 - Logon Event
```xml
<Data Name="TargetUserName">user</Data>
<Data Name="LogonType">3</Data>
<Data Name="AuthenticationPackageName">Kerberos</Data>
<Data Name="IpAddress">10.0.0.50</Data>
<Data Name="WorkstationName">WKS01</Data>
```
### Event 4672 - Special Privileges Assigned
```xml
<Data Name="SubjectUserName">user</Data>
<Data Name="SubjectDomainName">CORP</Data>
<Data Name="PrivilegeList">SeDebugPrivilege SeTcbPrivilege</Data>
```
## Golden Ticket Detection Indicators
| Indicator | Evidence |
|-----------|----------|
| Orphan logon | 4624 Kerberos logon with no 4768 TGT request |
| Privilege anomaly | 4672 admin privs for non-admin account |
| Abnormal TGT lifetime | TGT valid >10 hours (default max) |
| RC4 TGT majority | >50% of TGTs using 0x17 encryption |
| Domain SID mismatch | TGT domain SID differs from DC |
## MITRE ATT&CK
- T1558.001 - Golden Ticket
- T1550 - Use Alternate Authentication Material
Reference in New Issue View Git Blame Copy Permalink