In some scenarios when an attacker issues a Golden Ticket with tools like Mimikatz, he will use a fake/blank account name or fake/blank domain name - these parameters don't need to be real when issuing a valid ticket.
We can take advantage of that to search in the DC for event logs 4769 - service ticket request, for users or domains that don't exist in the environment:
Silver Ticket attack can be detected by searching for service ticket requests with Kerberos RC4 encrypted, Type set to 0x17. Windows added Kerberos AES encryption, which means that most Kerberos requests will be AES encrypted on any modern Windows OS. Any Kerberos RC4 ticket request should be suspicious.
https://adsecurity.org/?p=3458
Dor Yardeni
Head of IR & Hunting