Stats
Actions
Tags
Detects Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies including encryption type mismatches, impossible lifetimes, non-existent accounts, and forged PAC signatures in DC event logs.
How this skill is triggered — by the user, by Claude, or both
Slash command
/cybersecurity-skills-zh:detecting-golden-ticket-attacks-in-kerberos-logsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
- KRBTGT 账户哈希可能通过 DCSync 或 NTDS.dit 提取而遭到入侵时
index=wineventlog EventCode=4769
| where TicketEncryptionType="0x17"
| where ServiceName!="krbtgt"
| stats count by TargetUserName ServiceName IpAddress TicketEncryptionType Computer
| where count > 5
| sort -count
index=wineventlog (EventCode=4768 OR EventCode=4769)
| stats earliest(_time) as first_tgt by TargetUserName IpAddress EventCode
| eventstats earliest(eval(if(EventCode=4768, first_tgt, null()))) as tgt_time by TargetUserName IpAddress
| where EventCode=4769 AND (isnull(tgt_time) OR first_tgt < tgt_time)
| table TargetUserName IpAddress first_tgt tgt_time
SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| where ServiceName != "krbtgt"
| summarize Count=count() by TargetUserName, IpAddress, ServiceName
| where Count > 5
Hunt ID: TH-GOLDEN-[DATE]-[SEQ]
Suspected Account: [使用伪造票据的账户]
Source IP: [客户端 IP]
Target Service: [访问的 SPN]
Encryption Type: [RC4/AES128/AES256]
Anomaly: [无先前 TGT/AES 环境中使用 RC4/超出生命周期]
KRBTGT Last Reset: [日期]
Risk Level: [Critical]
npx claudepluginhub killvxk/cybersecurity-skills-zhDetects Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies in domain controller event logs, including encryption mismatches, impossible lifetimes, and missing TGT requests.
Detects Golden Ticket attacks in Active Directory by analyzing Kerberos TGT anomalies in domain controller event logs.
Detects Golden Ticket attacks in Active Directory Kerberos logs by analyzing TGT anomalies like mismatched encryption types, impossible lifetimes, non-existent accounts, and forged PAC signatures. Useful for threat hunting in domain controller event logs.