T1558.001

Golden Ticket

Adversaries who have obtained the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), known as golden tickets. Golden tickets enable adversaries to generate authentication material for any account in Active Directory with arbitrary group memberships, privilege levels, and ticket lifetimes — including non-existent accounts. The KRBTGT hash is typically obtained via OS Credential Dumping (DCSync or direct LSASS dump) against a domain controller. Tools including Mimikatz (kerberos::golden), Rubeus (golden /rc4: or /aes256:), Impacket ticketer.py, and the Empire/Sliver frameworks can generate forged TGTs locally without contacting the KDC. The forged ticket is then injected into memory (Pass-the-Ticket) and used to request Kerberos Service Tickets (TGS) for any resource in the domain. Golden tickets are highly persistent: they remain valid until the KRBTGT password is reset twice, and the attacker can regenerate them at will as long as the KRBTGT hash is known.

Microsoft Sentinel / Defender

kusto

// Golden Ticket Detection — Tool execution and Kerberos encryption anomaly signals
let LookbackPeriod = 24h;
let MimikatzGoldenPatterns = dynamic([
    "kerberos::golden", "kerberos::silver", "kerberos::ptt",
    "kerberos::purge", "kerberos::list", "sekurlsa::krbtgt",
    "/ptt", "/rc4:", "/aes256:", "/ticket:", "/sid:"
]);
let RubeusGoldenPatterns = dynamic([
    "golden /rc4:", "golden /aes128:", "golden /aes256:",
    "golden /des:", "silver /rc4:", "silver /aes256:",
    "ptt /ticket:", "asktgt /user:"
]);
// Component 1: Golden ticket tool execution (Mimikatz, Rubeus)
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "mimikatz.exe"
    or FileName =~ "rubeus.exe"
    or ProcessCommandLine has "kerberos::golden"
    or ProcessCommandLine has "kerberos::silver"
    or ProcessCommandLine has_any (MimikatzGoldenPatterns)
    or ProcessCommandLine has_any (RubeusGoldenPatterns)
| extend DetectionType = "GoldenTicket_ToolExecution"
| extend ToolIndicator = case(
    ProcessCommandLine has "kerberos::golden", "Mimikatz_kerberos::golden",
    ProcessCommandLine has "kerberos::silver", "Mimikatz_kerberos::silver",
    ProcessCommandLine has "kerberos::ptt",   "Mimikatz_Pass-the-Ticket",
    ProcessCommandLine has "golden /rc4:",     "Rubeus_golden_RC4",
    ProcessCommandLine has "golden /aes256:",  "Rubeus_golden_AES256",
    ProcessCommandLine has "ptt /ticket:",     "Rubeus_PTT",
    FileName =~ "mimikatz.exe",               "Mimikatz_binary",
    FileName =~ "rubeus.exe",                 "Rubeus_binary",
    "Unknown_KerberosTool"
)
| project
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    DetectionType,
    ToolIndicator;
// Component 2: Kerberos TGS requests using RC4-HMAC encryption (Event 4769)
// In environments with AES enforcement, RC4 (0x17) ticket requests indicate forged tickets
// Golden tickets default to RC4 when attacker only has NT hash, not AES key
let KerberosRC4 = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| parse EventData with * 'ServiceName">' ServiceName '<' *
| parse EventData with * 'TicketEncryptionType">' TicketEncryptionType '<' *
| parse EventData with * 'IpAddress">' ClientAddress '<' *
| parse EventData with * 'Status">' TicketStatus '<' *
| where TicketEncryptionType =~ "0x17"          // RC4-HMAC — golden ticket default
| where TicketStatus =~ "0x0"                   // Successful requests only
| where ServiceName !endswith "$"               // Exclude machine account TGS requests
| where ServiceName !in~ ("krbtgt", "kadmin/changepw") // Exclude KDC internal
| where ClientAddress !in ("::1", "127.0.0.1", "-")
| extend DetectionType = "GoldenTicket_KerberosRC4Encryption"
| extend ToolIndicator = "RC4-HMAC_TGS_Request"
| project
    Timestamp = TimeGenerated,
    DeviceName = Computer,
    AccountName = Account,
    ServiceName,
    ClientAddress,
    TicketEncryptionType,
    DetectionType,
    ToolIndicator;
union ToolExecution, KerberosRC4
| sort by Timestamp desc

critical severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint Windows Security Event Log — Event ID 4769 (Kerberos Service Ticket Request)

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

Legacy applications, services, and printers that do not support AES Kerberos and legitimately request RC4-encrypted TGS tickets (Event 4769 TicketEncryptionType 0x17) — common with older SQL Server service accounts, legacy IIS application pools, and SMB shares on Windows Server 2008
Authorized penetration testing or red team exercises using Mimikatz or Rubeus under a signed rules of engagement — verify against change management records and pentest scheduling windows
Security operations tooling that monitors Kerberos ticket state using Mimikatz kerberos::list for read-only inspection without ticket forgery
IT provisioning scripts or identity governance tools that interact with Kerberos ticket handling on admin workstations

Splunk

spl

| union
    [search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
    | rex field=Message "Service Name:\s+(?<ServiceName>[^\r\n]+)"
    | rex field=Message "Ticket Encryption Type:\s+(?<TicketEncryptionType>0x[0-9a-fA-F]+)"
    | rex field=Message "Client Address:\s+(?<ClientAddress>[^\r\n]+)"
    | rex field=Message "Result Code:\s+(?<Status>0x[0-9a-fA-F]+)"
    | where TicketEncryptionType="0x17"
    | where Status="0x0"
    | where NOT match(ServiceName, "\$") AND NOT (ServiceName="krbtgt" OR ServiceName="kadmin/changepw")
    | where NOT (ClientAddress="::1" OR ClientAddress="127.0.0.1" OR ClientAddress="-")
    | eval DetectionType="GoldenTicket_KerberosRC4Encryption"
    | eval ToolIndicator="RC4-HMAC_TGS_Request"
    | table _time, host, user, ServiceName, ClientAddress, TicketEncryptionType, DetectionType, ToolIndicator]
    [search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
    | eval Image=lower(Image), CommandLine=lower(CommandLine)
    | where Image LIKE "%\\mimikatz.exe"
        OR Image LIKE "%\\rubeus.exe"
        OR match(CommandLine, "kerberos::golden")
        OR match(CommandLine, "kerberos::silver")
        OR match(CommandLine, "kerberos::ptt")
        OR match(CommandLine, "kerberos::purge")
        OR match(CommandLine, "golden\s+/rc4:")
        OR match(CommandLine, "golden\s+/aes256:")
        OR match(CommandLine, "ptt\s+/ticket:")
        OR match(CommandLine, "sekurlsa::krbtgt")
    | eval DetectionType="GoldenTicket_ToolExecution"
    | eval ToolIndicator=case(
        match(CommandLine, "kerberos::golden"), "Mimikatz_kerberos::golden",
        match(CommandLine, "kerberos::silver"), "Mimikatz_kerberos::silver",
        match(CommandLine, "kerberos::ptt"),   "Mimikatz_Pass-the-Ticket",
        match(CommandLine, "golden\s+/rc4:"),  "Rubeus_golden_RC4",
        match(CommandLine, "golden\s+/aes256:"), "Rubeus_golden_AES256",
        match(CommandLine, "ptt\s+/ticket:"),  "Rubeus_PTT",
        Image LIKE "%mimikatz.exe",            "Mimikatz_binary",
        Image LIKE "%rubeus.exe",              "Rubeus_binary",
        1=1, "Unknown_KerberosTool"
    )
    | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine, DetectionType, ToolIndicator]
| sort - _time

critical severity high confidence

Data Sources

Windows Security Event Log — Event ID 4769 (Kerberos Service Ticket Request) Process: Process Creation Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy applications and services using RC4 Kerberos encryption legitimately — validate against known service account inventory before tuning out
Authorized penetration tests using Mimikatz or Rubeus — correlate against scheduled assessment windows and pentest tracking records
Security tooling that inspects Kerberos ticket state using Mimikatz kerberos::list in read-only mode without ticket forgery

Elastic Security (EQL)

eql

sequence by host.name with maxspan=5m
  [process where event.type == "start" and
   (process.name : ("mimikatz.exe", "rubeus.exe") or
    process.args : ("kerberos::golden", "kerberos::silver", "kerberos::ptt", "kerberos::purge", "sekurlsa::krbtgt", "/ptt", "/rc4:", "/aes256:", "/ticket:", "/sid:") or
    process.command_line : ("*golden /rc4:*", "*golden /aes256:*", "*golden /aes128:*", "*golden /des:*", "*silver /rc4:*", "*silver /aes256:*", "*ptt /ticket:*", "*asktgt /user:*"))]
| any where event.code == "4769" and
    winlog.event_data.TicketEncryptionType == "0x17" and
    winlog.event_data.Status == "0x0" and
    not winlog.event_data.ServiceName : ("*$", "krbtgt", "kadmin/changepw") and
    not winlog.event_data.IpAddress : ("::1", "127.0.0.1", "-")

// Standalone RC4 TGS anomaly — no tool execution required
OR

any where event.code == "4769" and
  winlog.event_data.TicketEncryptionType == "0x17" and
  winlog.event_data.Status == "0x0" and
  not winlog.event_data.ServiceName : ("*$", "krbtgt", "kadmin/changepw") and
  not winlog.event_data.IpAddress : ("::1", "127.0.0.1", "-")

// Standalone tool execution
OR

process where event.type == "start" and
  (process.name : ("mimikatz.exe", "rubeus.exe") or
   process.command_line : ("*kerberos::golden*", "*kerberos::silver*", "*kerberos::ptt*", "*golden /rc4:*", "*golden /aes256:*", "*ptt /ticket:*", "*sekurlsa::krbtgt*"))

critical severity high confidence

Data Sources

Windows Security Event Log (Event ID 4769) Sysmon Process Create (Event ID 1) Windows Security Event Log Process Create (Event ID 4688) Elastic Endpoint Security

Required Tables

logs-endpoint.events.process-* logs-system.security-* winlogbeat-* filebeat-*

False Positives

Legacy applications or services that are explicitly configured to use RC4-HMAC Kerberos encryption rather than AES — common in older Windows Server environments or mixed-version domains
Penetration testing or red team exercises using Mimikatz or Rubeus in authorized engagements — coordinate with security team on scheduled testing windows
Security tooling that enumerates or tests Kerberos configurations (e.g., BloodHound, PingCastle) may generate RC4 TGS requests as part of reconnaissance

IBM QRadar (AQL)

sql

-- Component 1: Golden Ticket tool execution via Sysmon Event ID 1
SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
    sourceip AS SourceIP,
    username AS AccountName,
    "hostname" AS HostName,
    QIDNAME(qid) AS EventName,
    "Process Name" AS ProcessName,
    "Command Line" AS CommandLine,
    'GoldenTicket_ToolExecution' AS DetectionType,
    CASE
        WHEN LOWER("Command Line") LIKE '%kerberos::golden%' THEN 'Mimikatz_kerberos::golden'
        WHEN LOWER("Command Line") LIKE '%kerberos::silver%' THEN 'Mimikatz_kerberos::silver'
        WHEN LOWER("Command Line") LIKE '%kerberos::ptt%' THEN 'Mimikatz_Pass-the-Ticket'
        WHEN LOWER("Command Line") LIKE '%golden /rc4:%' THEN 'Rubeus_golden_RC4'
        WHEN LOWER("Command Line") LIKE '%golden /aes256:%' THEN 'Rubeus_golden_AES256'
        WHEN LOWER("Command Line") LIKE '%ptt /ticket:%' THEN 'Rubeus_PTT'
        WHEN LOWER("Process Name") LIKE '%mimikatz.exe' THEN 'Mimikatz_binary'
        WHEN LOWER("Process Name") LIKE '%rubeus.exe' THEN 'Rubeus_binary'
        ELSE 'Unknown_KerberosTool'
    END AS ToolIndicator
FROM events
WHERE LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log
    AND devicetype = 12
    AND LONG("Event ID") = 1  -- Sysmon Process Create
    AND (
        LOWER("Process Name") LIKE '%mimikatz.exe'
        OR LOWER("Process Name") LIKE '%rubeus.exe'
        OR LOWER("Command Line") LIKE '%kerberos::golden%'
        OR LOWER("Command Line") LIKE '%kerberos::silver%'
        OR LOWER("Command Line") LIKE '%kerberos::ptt%'
        OR LOWER("Command Line") LIKE '%kerberos::purge%'
        OR LOWER("Command Line") LIKE '%sekurlsa::krbtgt%'
        OR LOWER("Command Line") LIKE '%golden /rc4:%'
        OR LOWER("Command Line") LIKE '%golden /aes256:%'
        OR LOWER("Command Line") LIKE '%golden /aes128:%'
        OR LOWER("Command Line") LIKE '%ptt /ticket:%'
        OR LOWER("Command Line") LIKE '%asktgt /user:%'
    )
    AND starttime > NOW() - 86400000  -- Last 24 hours in milliseconds

UNION ALL

-- Component 2: Kerberos TGS requests with RC4-HMAC encryption (Event ID 4769)
SELECT
    DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
    sourceip AS SourceIP,
    username AS AccountName,
    "hostname" AS HostName,
    QIDNAME(qid) AS EventName,
    "Service Name" AS ServiceName,
    "Ticket Encryption Type" AS TicketEncryptionType,
    'GoldenTicket_KerberosRC4Encryption' AS DetectionType,
    'RC4-HMAC_TGS_Request' AS ToolIndicator
FROM events
WHERE LOGSOURCETYPEID = 12
    AND LONG("Event ID") = 4769  -- Kerberos Service Ticket Operations
    AND "Ticket Encryption Type" = '0x17'  -- RC4-HMAC
    AND "Result Code" = '0x0'  -- Success
    AND "Service Name" NOT LIKE '%$'
    AND "Service Name" NOT IN ('krbtgt', 'kadmin/changepw')
    AND sourceip NOT IN ('::1', '127.0.0.1', '-')
    AND starttime > NOW() - 86400000
ORDER BY EventTime DESC

critical severity high confidence

Data Sources

Microsoft Windows Security Event Log (QRadar DSM) Microsoft Windows Sysmon (via WinCollect or Universal DSM) IBM QRadar Log Source: Windows

Required Tables

events

False Positives

Domains with legacy applications requiring RC4-HMAC Kerberos encryption will generate large volumes of Event 4769 with 0x17 encryption — establish a baseline of normal RC4 service accounts before alerting
IT administrators running authorized Mimikatz or Rubeus builds for credential auditing or Kerberos testing in lab environments connected to the same QRadar instance
Some backup agents and third-party identity management tools enumerate Kerberos tickets and may spawn processes with Kerberos-related command-line flags resembling golden ticket tool syntax

Sumo Logic CSE

sql

// Component 1: Tool execution — Sysmon Event ID 1 via Sumo Logic
(_sourceCategory="windows/sysmon" OR _sourceCategory="*sysmon*")
| parse "<EventID>*</EventID>" as EventID
| where EventID = "1"
| parse "<Image>*</Image>" as ProcessImage
| parse "<CommandLine>*</CommandLine>" as CommandLine
| parse "<ParentImage>*</ParentImage>" as ParentImage
| parse "<ParentCommandLine>*</ParentCommandLine>" as ParentCommandLine
| parse "<User>*</User>" as UserAccount
| parse "<Computer>*</Computer>" as HostName
| where (
    toLowerCase(ProcessImage) matches "*\\mimikatz.exe"
    or toLowerCase(ProcessImage) matches "*\\rubeus.exe"
    or toLowerCase(CommandLine) matches "*kerberos::golden*"
    or toLowerCase(CommandLine) matches "*kerberos::silver*"
    or toLowerCase(CommandLine) matches "*kerberos::ptt*"
    or toLowerCase(CommandLine) matches "*kerberos::purge*"
    or toLowerCase(CommandLine) matches "*sekurlsa::krbtgt*"
    or toLowerCase(CommandLine) matches "*golden /rc4:*"
    or toLowerCase(CommandLine) matches "*golden /aes256:*"
    or toLowerCase(CommandLine) matches "*golden /aes128:*"
    or toLowerCase(CommandLine) matches "*ptt /ticket:*"
    or toLowerCase(CommandLine) matches "*asktgt /user:*"
)
| eval DetectionType = "GoldenTicket_ToolExecution"
| eval ToolIndicator = if(toLowerCase(CommandLine) matches "*kerberos::golden*", "Mimikatz_kerberos::golden",
    if(toLowerCase(CommandLine) matches "*kerberos::silver*", "Mimikatz_kerberos::silver",
    if(toLowerCase(CommandLine) matches "*kerberos::ptt*", "Mimikatz_Pass-the-Ticket",
    if(toLowerCase(CommandLine) matches "*golden /rc4:*", "Rubeus_golden_RC4",
    if(toLowerCase(CommandLine) matches "*golden /aes256:*", "Rubeus_golden_AES256",
    if(toLowerCase(CommandLine) matches "*ptt /ticket:*", "Rubeus_PTT",
    if(toLowerCase(ProcessImage) matches "*mimikatz.exe", "Mimikatz_binary",
    if(toLowerCase(ProcessImage) matches "*rubeus.exe", "Rubeus_binary",
    "Unknown_KerberosTool"))))))))
| fields _messageTime, HostName, UserAccount, ProcessImage, CommandLine, ParentImage, DetectionType, ToolIndicator

// Run separately — Component 2: RC4 Kerberos TGS requests (Event ID 4769)
(_sourceCategory="windows/security" OR _sourceCategory="*WinEventLog*Security*")
| parse "EventCode=*" as EventCode
| where EventCode = "4769"
| parse "Service Name:\t*\n" as ServiceName
| parse "Ticket Encryption Type:\t*\n" as TicketEncryptionType
| parse "Client Address:\t*\n" as ClientAddress
| parse "Result Code:\t*\n" as Status
| where TicketEncryptionType = "0x17"
| where Status = "0x0"
| where !(ServiceName matches "*$")
| where !(ServiceName = "krbtgt" or ServiceName = "kadmin/changepw")
| where !(ClientAddress = "::1" or ClientAddress = "127.0.0.1" or ClientAddress = "-")
| eval DetectionType = "GoldenTicket_KerberosRC4Encryption"
| eval ToolIndicator = "RC4-HMAC_TGS_Request"
| fields _messageTime, _sourceHost, ServiceName, ClientAddress, TicketEncryptionType, DetectionType, ToolIndicator
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Security Event Log via Sumo Logic Installed Collector Sysmon Operational Log via Sumo Logic Installed Collector Sumo Logic Cloud SIEM Enterprise normalized events

Required Tables

_sourceCategory=windows/sysmon _sourceCategory=windows/security

False Positives

Environments with a significant number of Windows XP, Server 2003, or other legacy systems that cannot negotiate AES Kerberos will generate constant RC4 TGS requests — segment these by source host and exclude known legacy assets
Third-party Kerberos implementations (Samba, MIT Kerberos on Linux) may request RC4 tickets by default when interoperating with Active Directory domains that have not disabled RC4
Security awareness or red team toolkits bundled with corporate endpoint security testing suites may include Mimikatz or Rubeus binaries that trigger tool execution alerts during scheduled tests

Google Chronicle / SecOps

yaral

rule golden_ticket_detection {
  meta:
    author = "Detection Engineering"
    description = "Detects Golden Ticket attacks via Mimikatz/Rubeus tool execution and RC4-HMAC Kerberos TGS anomalies (T1558.001)"
    severity = "CRITICAL"
    priority = "HIGH"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.001"
    reference = "https://attack.mitre.org/techniques/T1558/001/"
    version = "1.0"

  events:
    // Signal A: Golden ticket tool execution — Mimikatz or Rubeus
    (
      $e1.metadata.event_type = "PROCESS_LAUNCH"
      and $e1.principal.hostname = $hostname
      and (
        re.regex($e1.target.process.file.full_path, `(?i)(\\|/)mimikatz\.exe$`)
        or re.regex($e1.target.process.file.full_path, `(?i)(\\|/)rubeus\.exe$`)
        or re.regex($e1.target.process.command_line, `(?i)kerberos::golden`)
        or re.regex($e1.target.process.command_line, `(?i)kerberos::silver`)
        or re.regex($e1.target.process.command_line, `(?i)kerberos::ptt`)
        or re.regex($e1.target.process.command_line, `(?i)kerberos::purge`)
        or re.regex($e1.target.process.command_line, `(?i)sekurlsa::krbtgt`)
        or re.regex($e1.target.process.command_line, `(?i)golden\s+/rc4:`)
        or re.regex($e1.target.process.command_line, `(?i)golden\s+/aes256:`)
        or re.regex($e1.target.process.command_line, `(?i)golden\s+/aes128:`)
        or re.regex($e1.target.process.command_line, `(?i)ptt\s+/ticket:`)
        or re.regex($e1.target.process.command_line, `(?i)asktgt\s+/user:`)
      )
    )
    or
    // Signal B: RC4-HMAC Kerberos TGS request (Event 4769 equivalent)
    (
      $e1.metadata.event_type = "NETWORK_CONNECTION"
      and $e1.principal.hostname = $hostname
      and $e1.network.application_protocol = "KERBEROS"
      and $e1.network.session_id != ""
      and re.regex($e1.network.tls.cipher, `(?i)rc4`)
    )
    or
    // Signal B (UDM auth event path for Chronicle-normalized Kerberos)
    (
      $e1.metadata.event_type = "USER_UNCATEGORIZED"
      and $e1.principal.hostname = $hostname
      and $e1.metadata.product_event_type = "4769"
      and $e1.extensions.auth.mechanism = "KERBEROS"
      and $e1.network.application_protocol = "KERBEROS"
      // RC4-HMAC indicated via metadata label
      and "0x17" in $e1.additional.fields["TicketEncryptionType"]
      and not re.regex($e1.target.user.userid, `.*\$$`)
      and $e1.target.user.userid != "krbtgt"
    )

  condition:
    $e1
}

critical severity medium confidence

Data Sources

Google Chronicle UDM (Unified Data Model) Windows Event Logs ingested via Chronicle forwarder Endpoint Detection (EDR) via Chronicle integration Chronicle SIEM Kerberos normalization

Required Tables

UDM events (Chronicle normalized) PROCESS_LAUNCH event type USER_UNCATEGORIZED event type (for Windows Security Events) NETWORK_CONNECTION event type

False Positives

Environments not yet fully migrated to AES Kerberos encryption will produce high volumes of RC4 TGS requests — tune by excluding known service accounts and hosts configured for RC4 via GPO
Red team and penetration testing toolkits legitimately executing Mimikatz or Rubeus during authorized assessments — coordinate with red team scheduling and add suppression rules for known test host ranges
Some enterprise single-sign-on products and third-party authentication middleware request RC4 Kerberos tickets for compatibility — identify and baseline these before alerting

CrowdStrike LogScale (CQL)

cql

// Component 1: Golden Ticket tool execution — CrowdStrike Falcon ProcessRollup2
#event_simpleName = "ProcessRollup2"
| CommandLine = /(?i)(kerberos::golden|kerberos::silver|kerberos::ptt|kerberos::purge|sekurlsa::krbtgt|golden\s+\/rc4:|golden\s+\/aes256:|golden\s+\/aes128:|golden\s+\/des:|silver\s+\/rc4:|silver\s+\/aes256:|ptt\s+\/ticket:|asktgt\s+\/user:)/
    OR ImageFileName = /(?i)(\\mimikatz\.exe|\\rubeus\.exe)$/
| ToolIndicator := case {
    CommandLine = /(?i)kerberos::golden/ => "Mimikatz_kerberos::golden";
    CommandLine = /(?i)kerberos::silver/ => "Mimikatz_kerberos::silver";
    CommandLine = /(?i)kerberos::ptt/ => "Mimikatz_Pass-the-Ticket";
    CommandLine = /(?i)golden\s+\/rc4:/ => "Rubeus_golden_RC4";
    CommandLine = /(?i)golden\s+\/aes256:/ => "Rubeus_golden_AES256";
    CommandLine = /(?i)ptt\s+\/ticket:/ => "Rubeus_PTT";
    ImageFileName = /(?i)mimikatz\.exe$/ => "Mimikatz_binary";
    ImageFileName = /(?i)rubeus\.exe$/ => "Rubeus_binary";
    * => "Unknown_KerberosTool"
}
| DetectionType := "GoldenTicket_ToolExecution"
| table([_timeParsed, ComputerName, UserName, ImageFileName, CommandLine, ParentBaseFileName, ToolIndicator, DetectionType])
| sort(field=_timeParsed, order=desc)

// Component 2: RC4-HMAC Kerberos TGS requests — correlate with KerberosServiceTicketRequested if available
// CrowdStrike Falcon does not natively expose Event 4769 directly; use the following for environments
// where Windows event forwarding feeds into LogScale alongside Falcon telemetry:

// If ingesting Windows Security events into LogScale:
#event_simpleName = "WindowsSecurityEvent"
| EventCode = "4769"
| TicketEncryptionType = "0x17"
| Status = "0x0"
| ServiceName != /.*\$$/ // Exclude machine accounts
| ServiceName != "krbtgt"
| ServiceName != "kadmin/changepw"
| IpAddress != /^(::1|127\.0\.0\.1|-)$/
| DetectionType := "GoldenTicket_KerberosRC4Encryption"
| ToolIndicator := "RC4-HMAC_TGS_Request"
| table([_timeParsed, ComputerName, AccountName, ServiceName, IpAddress, TicketEncryptionType, DetectionType, ToolIndicator])
| sort(field=_timeParsed, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) CrowdStrike Falcon Complete / Insight Windows Security Event Log forwarded to LogScale (for Event 4769) CrowdStrike Humio / LogScale SIEM

Required Tables

ProcessRollup2 WindowsSecurityEvent (if forwarded)

False Positives

Falcon sensors on hosts running authorized red team tooling will generate ProcessRollup2 alerts for legitimate Mimikatz or Rubeus executions — use CrowdStrike's detection exclusion policies for approved testing hosts during scheduled exercises
RC4-HMAC TGS events (Event 4769) will be generated by older Windows workstations, printers, and embedded systems that have not been configured to negotiate AES Kerberos — build exclusion lists based on asset inventory of legacy systems
Security research VMs or sandboxes on the corporate network that execute malware samples containing Mimikatz may generate tool execution detections — segregate research infrastructure and apply sensor policy exclusions to known analysis hosts

Last updated: 2026-04-13 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1558.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.002Silver Ticket T1558.003Kerberoasting T1558.004AS-REP Roasting T1558.005Ccache Files

Golden Ticket

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections