Detect Golden Ticket in IBM QRadar
Adversaries who have obtained the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), known as golden tickets. Golden tickets enable adversaries to generate authentication material for any account in Active Directory with arbitrary group memberships, privilege levels, and ticket lifetimes — including non-existent accounts. The KRBTGT hash is typically obtained via OS Credential Dumping (DCSync or direct LSASS dump) against a domain controller. Tools including Mimikatz (kerberos::golden), Rubeus (golden /rc4: or /aes256:), Impacket ticketer.py, and the Empire/Sliver frameworks can generate forged TGTs locally without contacting the KDC. The forged ticket is then injected into memory (Pass-the-Ticket) and used to request Kerberos Service Tickets (TGS) for any resource in the domain. Golden tickets are highly persistent: they remain valid until the KRBTGT password is reset twice, and the attacker can regenerate them at will as long as the KRBTGT hash is known.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1558 Steal or Forge Kerberos Tickets
- Sub-technique
- T1558.001 Golden Ticket
- Canonical reference
- https://attack.mitre.org/techniques/T1558/001/
QRadar Detection Query
-- Component 1: Golden Ticket tool execution via Sysmon Event ID 1
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
username AS AccountName,
"hostname" AS HostName,
QIDNAME(qid) AS EventName,
"Process Name" AS ProcessName,
"Command Line" AS CommandLine,
'GoldenTicket_ToolExecution' AS DetectionType,
CASE
WHEN LOWER("Command Line") LIKE '%kerberos::golden%' THEN 'Mimikatz_kerberos::golden'
WHEN LOWER("Command Line") LIKE '%kerberos::silver%' THEN 'Mimikatz_kerberos::silver'
WHEN LOWER("Command Line") LIKE '%kerberos::ptt%' THEN 'Mimikatz_Pass-the-Ticket'
WHEN LOWER("Command Line") LIKE '%golden /rc4:%' THEN 'Rubeus_golden_RC4'
WHEN LOWER("Command Line") LIKE '%golden /aes256:%' THEN 'Rubeus_golden_AES256'
WHEN LOWER("Command Line") LIKE '%ptt /ticket:%' THEN 'Rubeus_PTT'
WHEN LOWER("Process Name") LIKE '%mimikatz.exe' THEN 'Mimikatz_binary'
WHEN LOWER("Process Name") LIKE '%rubeus.exe' THEN 'Rubeus_binary'
ELSE 'Unknown_KerberosTool'
END AS ToolIndicator
FROM events
WHERE LOGSOURCETYPEID = 12 -- Microsoft Windows Security Event Log
AND devicetype = 12
AND LONG("Event ID") = 1 -- Sysmon Process Create
AND (
LOWER("Process Name") LIKE '%mimikatz.exe'
OR LOWER("Process Name") LIKE '%rubeus.exe'
OR LOWER("Command Line") LIKE '%kerberos::golden%'
OR LOWER("Command Line") LIKE '%kerberos::silver%'
OR LOWER("Command Line") LIKE '%kerberos::ptt%'
OR LOWER("Command Line") LIKE '%kerberos::purge%'
OR LOWER("Command Line") LIKE '%sekurlsa::krbtgt%'
OR LOWER("Command Line") LIKE '%golden /rc4:%'
OR LOWER("Command Line") LIKE '%golden /aes256:%'
OR LOWER("Command Line") LIKE '%golden /aes128:%'
OR LOWER("Command Line") LIKE '%ptt /ticket:%'
OR LOWER("Command Line") LIKE '%asktgt /user:%'
)
AND starttime > NOW() - 86400000 -- Last 24 hours in milliseconds
UNION ALL
-- Component 2: Kerberos TGS requests with RC4-HMAC encryption (Event ID 4769)
SELECT
DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
sourceip AS SourceIP,
username AS AccountName,
"hostname" AS HostName,
QIDNAME(qid) AS EventName,
"Service Name" AS ServiceName,
"Ticket Encryption Type" AS TicketEncryptionType,
'GoldenTicket_KerberosRC4Encryption' AS DetectionType,
'RC4-HMAC_TGS_Request' AS ToolIndicator
FROM events
WHERE LOGSOURCETYPEID = 12
AND LONG("Event ID") = 4769 -- Kerberos Service Ticket Operations
AND "Ticket Encryption Type" = '0x17' -- RC4-HMAC
AND "Result Code" = '0x0' -- Success
AND "Service Name" NOT LIKE '%$'
AND "Service Name" NOT IN ('krbtgt', 'kadmin/changepw')
AND sourceip NOT IN ('::1', '127.0.0.1', '-')
AND starttime > NOW() - 86400000
ORDER BY EventTime DESCQRadar AQL detection for Golden Ticket attacks covering two components: Sysmon process creation events matching known Mimikatz and Rubeus command patterns, and Windows Security Event 4769 with RC4-HMAC (0x17) encryption type indicating potential forged TGTs. Both queries reference the last 24 hours and exclude machine accounts, internal KDC services, and loopback addresses to reduce false positives.
Data Sources
Required Tables
False Positives & Tuning
- Domains with legacy applications requiring RC4-HMAC Kerberos encryption will generate large volumes of Event 4769 with 0x17 encryption — establish a baseline of normal RC4 service accounts before alerting
- IT administrators running authorized Mimikatz or Rubeus builds for credential auditing or Kerberos testing in lab environments connected to the same QRadar instance
- Some backup agents and third-party identity management tools enumerate Kerberos tickets and may spawn processes with Kerberos-related command-line flags resembling golden ticket tool syntax
Other platforms for T1558.001
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Mimikatz Golden Ticket Creation and Pass-the-Ticket
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe and CommandLine containing 'kerberos::golden'. Sysmon Event ID 10: ProcessAccess targeting lsass.exe from mimikatz.exe (during /ptt injection). Windows Security Event 4769 on DC: TGS requests with TicketEncryptionType=0x17 from the test machine after ticket injection. No corresponding Event 4768 (TGT request) for GoldenUser from the test machine IP since the TGT was forged locally.
- Test 2Rubeus Golden Ticket Generation with AES256
Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe and CommandLine containing 'golden /aes256:'. Windows Security Event 4769 on DC after ticket use: TicketEncryptionType=0x12 (AES256-CTS-HMAC-SHA1-96) — NOTE: this variant does NOT trigger the RC4 detector, demonstrating the importance of the TGS-without-TGT hunt and process execution detection as complementary layers. No Event 4768 from the test machine for GoldenUser.
- Test 3Mimikatz kerberos::list — Inspect Existing Kerberos Tickets
Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe and CommandLine containing 'kerberos::list'. Sysmon Event ID 11: File creation events for .kirbi ticket files exported to the current directory. No Kerberos events on DC since this only reads the local ticket cache.
- Test 4Impacket ticketer.py Golden Ticket (Linux/Windows)
Expected signal: Linux syslog/auditd: process execution of python3 with ticketer.py arguments including '-nthash' and '-domain-sid'. On the target Windows DC, Security Event 4769 with TicketEncryptionType=0x17 (RC4) when the golden ticket is used to authenticate, and notably NO preceding Event 4768 from the Linux host's IP. Network: Kerberos (UDP/TCP port 88) traffic from the Linux attacker IP to the DC for TGS requests.
References (11)
- https://attack.mitre.org/techniques/T1558/001/
- https://adsecurity.org/?p=1640
- https://adsecurity.org/?p=1515
- https://adsecurity.org/?p=483
- https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
- https://blog.stealthbits.com/detect-pass-the-ticket-attacks
- https://github.com/GhostPack/Rubeus
- https://github.com/gentilkiwi/mimikatz/wiki/module-~-kerberos
- https://www.microsoft.com/en-us/security/blog/2022/10/05/detecting-and-mitigating-active-directory-compromises/
- https://learn.microsoft.com/en-us/defender-for-identity/understanding-lateral-movement-alerts
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558.001/T1558.001.md
Unlock Pro Content
Get the full detection package for T1558.001 including response playbook, investigation guide, and atomic red team tests.