[Bro] Finding Golden Tickets in Kerberos Logs

Jan Grashöfer jan.grashoefer at gmail.com
Mon Mar 5 02:28:16 PST 2018

On 27/02/18 20:49, brolist at vt.edu wrote:
> Does anyone have a reliable method to find Active Directory Golden or
> Silver Tickets in the Bro Kerberos logs? I was planning to look into doing
> this (maybe based partially on expiration) but wanted to ask the list
> first. I appreciate any advice.

Please correct me if I am wrong: Golden Tickts are generated using some 
special account and won't be sent to the "user" like normal TGTs. In 
that case, keeping track of the issued TGTs might allow to detect 
"self-generated" Golden Tickets. The same should apply for TGS in case 
of Silver Tickets.

As far as I know, expiration is usually quite high for Golden/Silver 
Tickets and thus can be used for detection. However, it should be easy 
for an attacker to adapt to default expiration times.


More information about the Bro mailing list