Golden Ticket Detection — Why KRBTGT Hash Rotation Alone Is Not Enough

What Is a Golden Ticket?

A Kerberos Golden Ticket is a forged TGT (Ticket Granting Ticket) created using the NTLM hash of the KRBTGT account. An attacker with this hash can create a ticket for any user, any group, with any lifetime — entirely offline, without ever touching a DC again.

Standard KRBTGT rotation invalidates existing tickets — but if the attacker already has the hash, they just forge a new one.

The Detection Challenge

Most tools look for tickets with lifetimes > 10 hours (Mimikatz default: 10 years). Sophisticated attackers now forge tickets with lifetimes under 8 hours to blend in with normal Kerberos traffic.

DKTrace's Multi-Signal Approach

DKTrace correlates four independent signals simultaneously:

Signal 1: PAC Validation Mismatch

When a TGS-REQ arrives at a service, DKTrace compares the PAC (Privilege Attribute Certificate) with the DC's live LDAP view of that user's group memberships. A forged PAC claiming Domain Admin membership for a standard user fires immediately.

Signal 2: Ticket Age vs. Workstation Boot Time

A ticket claimed to be 6 hours old, used on a workstation that booted 15 minutes ago — impossible under normal Kerberos. DKTrace tracks workstation boot events and cross-references ticket creation times.

Signal 3: Encryption Downgrade

RC4-HMAC (etype 23) for accounts that have AES keys enabled is a classic Mimikatz/impacket signature. Modern environments should only see etype 17 (AES128) or 18 (AES256).

Signal 4: SID History Inconsistency

Forged PACs often contain inconsistent SID history — group SIDs that don't match the domain's current group membership. DKTrace's ITDR engine queries AD group membership in real time and compares.

Combined Confidence Scoring

Sigma rule: T1558.001