creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-12 14:14:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/conducting-pass-the-ticket-attack/references/api-reference.md
T
mukul975 c21af3347e Complete folder anatomy for all 649 cybersecurity skills + update LICENSE to Mahipal 
- Add scripts/agent.py and references/api-reference.md to all remaining skills
- Update all 648 LICENSE files: copyright now reads 'Mahipal'
- Add implementing-security-monitoring-with-datadog (new skill with full anatomy)
- All 649 skills now have: SKILL.md, LICENSE, scripts/agent.py, references/api-reference.md
2026-03-11 00:22:12 +01:00

43 lines
1.6 KiB
Markdown
Raw Blame History

# Pass-the-Ticket Detection — API Reference
## Libraries
| Library | Install | Purpose |
|---------|---------|---------|
| impacket | `pip install impacket` | Kerberos ticket manipulation (ticketer.py, getST.py) |
| ldap3 | `pip install ldap3` | AD LDAP queries for SPN and account enumeration |
| pySigma | `pip install pySigma` | Sigma rule parsing and conversion |
## Key Windows Event IDs
| Event ID | Description | Relevance |
|----------|-------------|-----------|
| 4768 | Kerberos TGT request | Golden ticket detection (RC4 = 0x17) |
| 4769 | Kerberos service ticket request | Silver ticket / Kerberoasting |
| 4770 | Kerberos service ticket renewed | Ticket reuse indicator |
| 4771 | Kerberos pre-auth failed | Password spray detection |
| 4624 | Successful logon | Correlate with ticket usage |
## Encryption Type Constants
| Value | Algorithm | Concern |
|-------|-----------|---------|
| 0x17 | RC4-HMAC | Downgrade attack indicator |
| 0x12 | AES-256 | Expected modern encryption |
| 0x11 | AES-128 | Acceptable encryption |
## MITRE ATT&CK Mapping
| Technique | ID |
|-----------|----|
| Use Alternate Authentication Material: Pass the Ticket | T1550.003 |
| Steal or Forge Kerberos Tickets: Golden Ticket | T1558.001 |
| Steal or Forge Kerberos Tickets: Silver Ticket | T1558.002 |
## External References
- [impacket ticketer.py](https://github.com/fortra/impacket/blob/master/examples/ticketer.py)
- [Microsoft Kerberos Event Logging](https://learn.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768)
- [Sigma Rules Repository](https://github.com/SigmaHQ/sigma)
- [ADSecurity.org Kerberos Attacks](https://adsecurity.org/?p=1515)
Reference in New Issue View Git Blame Copy Permalink