[Bro] Finding Golden Tickets in Kerberos Logs

Clark Gaylord cgaylord at vt.edu
Mon Mar 5 06:07:54 PST 2018

True but an important point about them is their lack of expiration, hence
the need to redo the TGT credential after exploit. This would probably
still be wise, but that is a primary motivation. I agree it would be
interesting to audit tickets on the wire to ensure they appear to be
consistent with policy.

Clark Gaylord
cgaylord at vt.edu
... Autocorrect may have improved this message
    Brevity should not be interpreted as curtness ...

On Mar 5, 2018 05:36, "Jan Grashöfer" <jan.grashoefer at gmail.com> wrote:

On 27/02/18 20:49, brolist at vt.edu wrote:
> Does anyone have a reliable method to find Active Directory Golden or
> Silver Tickets in the Bro Kerberos logs? I was planning to look into doing
> this (maybe based partially on expiration) but wanted to ask the list
> first. I appreciate any advice.

Please correct me if I am wrong: Golden Tickts are generated using some
special account and won't be sent to the "user" like normal TGTs. In
that case, keeping track of the issued TGTs might allow to detect
"self-generated" Golden Tickets. The same should apply for TGS in case
of Silver Tickets.

As far as I know, expiration is usually quite high for Golden/Silver
Tickets and thus can be used for detection. However, it should be easy
for an attacker to adapt to default expiration times.

Bro mailing list
bro at bro-ids.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20180305/4b606bc2/attachment.html 

More information about the Bro mailing list