T1558.001 Microsoft Sentinel · KQL

Detect Golden Ticket in Microsoft Sentinel

Adversaries who have obtained the KRBTGT account password hash may forge Kerberos ticket-granting tickets (TGT), known as golden tickets. Golden tickets enable adversaries to generate authentication material for any account in Active Directory with arbitrary group memberships, privilege levels, and ticket lifetimes — including non-existent accounts. The KRBTGT hash is typically obtained via OS Credential Dumping (DCSync or direct LSASS dump) against a domain controller. Tools including Mimikatz (kerberos::golden), Rubeus (golden /rc4: or /aes256:), Impacket ticketer.py, and the Empire/Sliver frameworks can generate forged TGTs locally without contacting the KDC. The forged ticket is then injected into memory (Pass-the-Ticket) and used to request Kerberos Service Tickets (TGS) for any resource in the domain. Golden tickets are highly persistent: they remain valid until the KRBTGT password is reset twice, and the attacker can regenerate them at will as long as the KRBTGT hash is known.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.001 Golden Ticket
Canonical reference
https://attack.mitre.org/techniques/T1558/001/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Golden Ticket Detection — Tool execution and Kerberos encryption anomaly signals
let LookbackPeriod = 24h;
let MimikatzGoldenPatterns = dynamic([
    "kerberos::golden", "kerberos::silver", "kerberos::ptt",
    "kerberos::purge", "kerberos::list", "sekurlsa::krbtgt",
    "/ptt", "/rc4:", "/aes256:", "/ticket:", "/sid:"
]);
let RubeusGoldenPatterns = dynamic([
    "golden /rc4:", "golden /aes128:", "golden /aes256:",
    "golden /des:", "silver /rc4:", "silver /aes256:",
    "ptt /ticket:", "asktgt /user:"
]);
// Component 1: Golden ticket tool execution (Mimikatz, Rubeus)
let ToolExecution = DeviceProcessEvents
| where Timestamp > ago(LookbackPeriod)
| where FileName =~ "mimikatz.exe"
    or FileName =~ "rubeus.exe"
    or ProcessCommandLine has "kerberos::golden"
    or ProcessCommandLine has "kerberos::silver"
    or ProcessCommandLine has_any (MimikatzGoldenPatterns)
    or ProcessCommandLine has_any (RubeusGoldenPatterns)
| extend DetectionType = "GoldenTicket_ToolExecution"
| extend ToolIndicator = case(
    ProcessCommandLine has "kerberos::golden", "Mimikatz_kerberos::golden",
    ProcessCommandLine has "kerberos::silver", "Mimikatz_kerberos::silver",
    ProcessCommandLine has "kerberos::ptt",   "Mimikatz_Pass-the-Ticket",
    ProcessCommandLine has "golden /rc4:",     "Rubeus_golden_RC4",
    ProcessCommandLine has "golden /aes256:",  "Rubeus_golden_AES256",
    ProcessCommandLine has "ptt /ticket:",     "Rubeus_PTT",
    FileName =~ "mimikatz.exe",               "Mimikatz_binary",
    FileName =~ "rubeus.exe",                 "Rubeus_binary",
    "Unknown_KerberosTool"
)
| project
    Timestamp,
    DeviceName,
    AccountName,
    FileName,
    ProcessCommandLine,
    InitiatingProcessFileName,
    InitiatingProcessCommandLine,
    DetectionType,
    ToolIndicator;
// Component 2: Kerberos TGS requests using RC4-HMAC encryption (Event 4769)
// In environments with AES enforcement, RC4 (0x17) ticket requests indicate forged tickets
// Golden tickets default to RC4 when attacker only has NT hash, not AES key
let KerberosRC4 = SecurityEvent
| where TimeGenerated > ago(LookbackPeriod)
| where EventID == 4769
| parse EventData with * 'ServiceName">' ServiceName '<' *
| parse EventData with * 'TicketEncryptionType">' TicketEncryptionType '<' *
| parse EventData with * 'IpAddress">' ClientAddress '<' *
| parse EventData with * 'Status">' TicketStatus '<' *
| where TicketEncryptionType =~ "0x17"          // RC4-HMAC — golden ticket default
| where TicketStatus =~ "0x0"                   // Successful requests only
| where ServiceName !endswith "$"               // Exclude machine account TGS requests
| where ServiceName !in~ ("krbtgt", "kadmin/changepw") // Exclude KDC internal
| where ClientAddress !in ("::1", "127.0.0.1", "-")
| extend DetectionType = "GoldenTicket_KerberosRC4Encryption"
| extend ToolIndicator = "RC4-HMAC_TGS_Request"
| project
    Timestamp = TimeGenerated,
    DeviceName = Computer,
    AccountName = Account,
    ServiceName,
    ClientAddress,
    TicketEncryptionType,
    DetectionType,
    ToolIndicator;
union ToolExecution, KerberosRC4
| sort by Timestamp desc
critical severity high confidence

Detects Golden Ticket attacks via two complementary signals united in a single result set. Component 1 monitors DeviceProcessEvents for execution of known golden ticket generation tools: Mimikatz kerberos::golden / kerberos::silver / kerberos::ptt commands and Rubeus golden / silver / ptt subcommands. Component 2 monitors Windows Security Event 4769 (Kerberos Service Ticket requests) for RC4-HMAC encrypted tickets (TicketEncryptionType 0x17). In environments with AES Kerberos enforcement, RC4 TGS requests are a high-fidelity indicator of forged golden tickets — attackers who obtain only the NTLM (RC4) KRBTGT hash forge tickets using RC4 even when the domain enforces AES, causing a detectable encryption downgrade at the KDC. The parse statements extract structured fields from the EventData XML for targeted filtering.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for EndpointWindows Security Event Log — Event ID 4769 (Kerberos Service Ticket Request)

Required Tables

DeviceProcessEventsSecurityEvent

False Positives & Tuning

  • Legacy applications, services, and printers that do not support AES Kerberos and legitimately request RC4-encrypted TGS tickets (Event 4769 TicketEncryptionType 0x17) — common with older SQL Server service accounts, legacy IIS application pools, and SMB shares on Windows Server 2008
  • Authorized penetration testing or red team exercises using Mimikatz or Rubeus under a signed rules of engagement — verify against change management records and pentest scheduling windows
  • Security operations tooling that monitors Kerberos ticket state using Mimikatz kerberos::list for read-only inspection without ticket forgery
  • IT provisioning scripts or identity governance tools that interact with Kerberos ticket handling on admin workstations
Download portable Sigma rule (.yml)

Other platforms for T1558.001

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Mimikatz Golden Ticket Creation and Pass-the-Ticket

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe and CommandLine containing 'kerberos::golden'. Sysmon Event ID 10: ProcessAccess targeting lsass.exe from mimikatz.exe (during /ptt injection). Windows Security Event 4769 on DC: TGS requests with TicketEncryptionType=0x17 from the test machine after ticket injection. No corresponding Event 4768 (TGT request) for GoldenUser from the test machine IP since the TGT was forged locally.

  2. Test 2Rubeus Golden Ticket Generation with AES256

    Expected signal: Sysmon Event ID 1: Process Create with Image=Rubeus.exe and CommandLine containing 'golden /aes256:'. Windows Security Event 4769 on DC after ticket use: TicketEncryptionType=0x12 (AES256-CTS-HMAC-SHA1-96) — NOTE: this variant does NOT trigger the RC4 detector, demonstrating the importance of the TGS-without-TGT hunt and process execution detection as complementary layers. No Event 4768 from the test machine for GoldenUser.

  3. Test 3Mimikatz kerberos::list — Inspect Existing Kerberos Tickets

    Expected signal: Sysmon Event ID 1: Process Create with Image=mimikatz.exe and CommandLine containing 'kerberos::list'. Sysmon Event ID 11: File creation events for .kirbi ticket files exported to the current directory. No Kerberos events on DC since this only reads the local ticket cache.

  4. Test 4Impacket ticketer.py Golden Ticket (Linux/Windows)

    Expected signal: Linux syslog/auditd: process execution of python3 with ticketer.py arguments including '-nthash' and '-domain-sid'. On the target Windows DC, Security Event 4769 with TicketEncryptionType=0x17 (RC4) when the golden ticket is used to authenticate, and notably NO preceding Event 4768 from the Linux host's IP. Network: Kerberos (UDP/TCP port 88) traffic from the Linux attacker IP to the DC for TGS requests.

Last updated: 2026-04-13 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1558.001 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.002Silver TicketT1558.003KerberoastingT1558.004AS-REP RoastingT1558.005Ccache Files

Related Techniques

T1003OS Credential DumpingT1003.006DCSyncT1550.003Pass the TicketT1558Steal or Forge Kerberos TicketsT1558.002Silver TicketT1558.003KerberoastingT1078.002Domain AccountsT1059.001PowerShellT1484.001Group Policy Modification

Same Tactic: Credential Access

Popular Detections