Detects forged Kerberos Golden Tickets by correlating anomalous Kerberos ticket lifetimes, unexpected encryption types (e.g., RC4 in modern domains), malformed fields in logon/logoff events, and TGS requests without preceding TGT requests. Also monitors for abnormal patterns of access associated with elevated privileges across multiple systems.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4624, 4634, 4672, 4768, 4769 |
| Active Directory Credential Request (DC0084) | WinEventLog:Kerberos | EventCode=4769, 4768 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| TicketLifetimeThreshold | Kerberos TGT ticket lifetime exceeding default domain duration; tunable to environment-specific policies. |
| AllowedEncryptionTypes | Valid encryption algorithms for Kerberos tickets; anomalies (e.g., RC4) may indicate forgery. |
| PrivilegedAccountPatterns | Baseline of privileged accounts expected to perform Kerberos operations; deviations indicate suspicious activity. |
| ProcessAllowlist | Expected processes interacting with lsass.exe; deviations may indicate credential dumping. |