Incident Response Tips

The Practical Way to Detect Golden and Silver Ticket Attacks

In some scenarios when an attacker issues a Golden Ticket with tools like Mimikatz, he will use a fake/blank account name or fake/blank domain name - these parameters don't need to be real when issuing a valid ticket.

We can take advantage of that to search in the DC for event logs 4769 - service ticket request, for users or domains that don't exist in the environment:

Silver Ticket attack can be detected by searching for service ticket requests with Kerberos RC4 encrypted, Type set to 0x17. Windows added Kerberos AES encryption, which means that most Kerberos requests will be AES encrypted on any modern Windows OS. Any Kerberos RC4 ticket request should be suspicious.

Dor Yardeni
Head of IR & Hunting



OTORIO website uses cookies. By continuing to browse the site you are agreeing to our use of cookies. For more details about cookies and how to manage them, see our cookie policy.