[Bro] Finding Golden Tickets in Kerberos Logs
jan.grashoefer at gmail.com
Mon Mar 5 02:28:16 PST 2018
On 27/02/18 20:49, brolist at vt.edu wrote:
> Does anyone have a reliable method to find Active Directory Golden or
> Silver Tickets in the Bro Kerberos logs? I was planning to look into doing
> this (maybe based partially on expiration) but wanted to ask the list
> first. I appreciate any advice.
Please correct me if I am wrong: Golden Tickts are generated using some
special account and won't be sent to the "user" like normal TGTs. In
that case, keeping track of the issued TGTs might allow to detect
"self-generated" Golden Tickets. The same should apply for TGS in case
of Silver Tickets.
As far as I know, expiration is usually quite high for Golden/Silver
Tickets and thus can be used for detection. However, it should be easy
for an attacker to adapt to default expiration times.
More information about the Bro