GoldenTicket

A Golden Ticket attack is a type of attack in which an adversary gains control over an Active Directory Key Distribution Service Account (KRBTGT), and uses that account to create valid Kerberos Ticket Granting Tickets (TGTs).

Event IDs Audit Policies Value
4768

├ Category: Account Logon

└─ Sub-category: Kerberos Authentication Service

Success and Failure

4769

├ Category: Account Logon

└─ Sub-category: Kerberos Service Ticket Operations

Success and Failure

4770

├ Category: Account Logon

└─ Sub-category: Kerberos Service Ticket Operations

Success

  Requires Sysmon extension No

See also