- Home
- SIEM use cases
- Golden Ticket Attack Detection
How to detect Golden Ticket attacks
In this page
Threat snapshot
A Golden Ticket is a forged Kerberos Ticket Granting Ticket. It is created offline using the NTLM hash of the domain's krbtgt account, a special account whose sole purpose is to sign every TGT issued in the domain. Because the forged ticket is signed with the real krbtgt hash, every Kerberos-aware service in the domain accepts it as authentic. The attacker can specify any username, any group membership, and any ticket lifetime they choose. Most significantly, they can claim membership in Domain Admins, Enterprise Admins, or any other group in the domain without those groups actually containing the account.
The krbtgt account hash is the master key for the entire Kerberos infrastructure of a domain. Every TGT in the domain derives its validity from this hash. Obtaining it requires domain admin access, but once obtained, the hash can be used to generate new Golden Tickets indefinitely and from any machine, without any further interaction with the domain. A Golden Ticket created today remains valid until the krbtgt password is rotated twice, which by default never happens unless an administrator explicitly forces it.
What makes Golden Tickets particularly dangerous as a persistence mechanism is their invisibility to standard monitoring. A forged TGT presented to the KDC generates standard authentication events that are indistinguishable from legitimate TGT use, because the KDC validates the ticket using the real krbtgt key and finds it cryptographically valid. The anomalies that betray a Golden Ticket are subtle: impossible ticket lifetimes, account names that do not exist in the domain, or TGT requests for accounts from machines those accounts have never previously used.
Golden Ticket attacks, at a glance
| Severity | Critical |
| Category | Identity & Access |
| Attack variants covered | Mimikatz Golden Ticket forging, Rubeus TGT forging, PowerShell-based Kerberos ticket requests post-Golden Ticket, KrbRelay and KrbRelayUp service ticket relay using forged TGTs |
| MITRE ATT&CK tactic | TA0006 - Credential Access |
| MITRE techniques | T1558.001 - Golden Ticket, T1558 - Steal or Forge Kerberos Tickets, T1558.003 - Kerberoasting (post-ticket service access) |
| Platforms covered | Active Directory, Windows |
| Log360 detection rules |
|
| SOC maturity level | Level 3 - Incident Response |
| Compliance mapping | NIST CSF PR.AC-7, PCI-DSS 8.6, HIPAA Section 164.312(d), ISO 27001 A.9.4.2 |
How Golden Ticket attacks work
A Golden Ticket attack requires two steps: extracting the krbtgt hash from Active Directory, then using that hash to forge a TGT with arbitrary claims. The diagram below shows both steps and how the forged TGT passes through the normal Kerberos authentication flow undetected.
Step 1: Extracting the krbtgt hash
The krbtgt account's NTLM hash is the signing key for every TGT in the domain. An attacker who has already achieved domain admin access obtains it via one of two methods. DCSync is the most common: Mimikatz's lsadump::dcsync /user:krbtgt command uses legitimate AD replication APIs to request the krbtgt account's password hash directly from a domain controller, generating Event 4662 (replication operation) on the DC rather than Event 4625 or Event 4768. The second method is direct LSASS memory access on a domain controller: since the DC caches the krbtgt hash in LSASS for ticket signing, a memory dump of the DC's LSASS process yields the same hash.
Both methods leave specific forensic traces. DCSync generates Event 4662 on domain controllers with the replication control access rights GUIDs (1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 for DS-Replication-Get-Changes and 1131f6ab-9c07-11d1-f79f-00c04fc2dcd2 for DS-Replication-Get-Changes-All). Direct LSASS access generates Sysmon Event 10 with lsass.exe as the target process. Either event attributable to a non-DC source IP is a high-confidence indicator that krbtgt extraction is in progress.
Step 2: Forging and injecting the Golden Ticket
With the krbtgt hash, the attacker forges a TGT entirely offline using Mimikatz's kerberos::golden command or Rubeus's golden command. The forged ticket contains arbitrary user attributes including group memberships, a chosen username, the domain SID, and an attacker-specified ticket lifetime. Most Golden Tickets are created with a 10-year lifetime to avoid expiry during the operation.
Once forged, the ticket is injected into the current Windows session using kerberos::ptt (pass-the-ticket) or Rubeus's ptt command. From that point, Windows presents the forged TGT to the KDC whenever a TGS for any service is needed. The KDC decrypts the TGT using the real krbtgt key, finds it cryptographically valid, and issues a genuine TGS for the requested service. The result is authenticated access to any Kerberos-enabled service in the domain as the impersonated user.
When the forged TGT is written to disk (for use on another machine or for safekeeping), Mimikatz creates a .kirbi format file. This file creation event is detectable via Sysmon Event 11 and is the earliest endpoint-level artifact of the forging operation.
Post-ticket lateral movement via PowerShell and relay tools
Once a Golden Ticket is active in the session, attackers use additional tooling to enumerate and access services across the domain. PowerShell-based Kerberos ticket requests allow scripted access to multiple services using the forged identity. KrbRelay and KrbRelayUp extend the attack surface by coercing machine authentication and relaying it to Kerberos-enabled services, compounding the access available through the forged TGT. Each of these downstream tools produces its own process creation signature that Log360's rules detect independently.
Real-world campaigns
APT29 and other nation-state actors: Golden Tickets as long-term persistence
Nation-state threat actors including APT29 (Cozy Bear) have been documented using Golden Tickets as their preferred long-term persistence mechanism after achieving domain compromise. The operational logic is straightforward: once the krbtgt hash is extracted, the actor can re-enter the domain at any time using a newly forged ticket, even if every user account password in the domain has been reset. The only remediation that invalidates a Golden Ticket is a double rotation of the krbtgt password, a procedure that most organizations have never performed and that requires careful planning to avoid disrupting legitimate Kerberos authentication. APT29's documented use of Golden Tickets in the SolarWinds intrusion campaign highlighted this technique to a broad audience of defenders and operators alike.
NotPetya and ransomware operators: Golden Tickets for mass lateral movement
The NotPetya wiper used a Golden Ticket implementation (derived from Mimikatz) as part of its lateral propagation mechanism. After extracting the krbtgt hash from an infected DC, it forged tickets enabling authenticated access to every domain-joined machine for encryption and propagation. The speed of domain-wide compromise in NotPetya incidents was significantly enabled by Golden Ticket-based mass authentication, which bypassed the need to crack or guess credentials for individual machines. Subsequent ransomware operators including REvil and BlackMatter have incorporated similar Golden Ticket steps in documented post-compromise playbooks.
Attack reference table
| Tool / command | Purpose | Prerequisite | Log360 detection |
|---|---|---|---|
| Mimikatz lsadump::dcsync /user:krbtgt | Extract krbtgt hash via AD replication | Domain admin or replication rights | HackTool - Mimikatz Execution, Mimikatz Detection |
| Mimikatz kerberos::golden /rc4:[hash] | Forge TGT with arbitrary user and group claims | krbtgt NTLM hash | HackTool - Mimikatz Kirbi File Creation (if /ticket used), Mimikatz Detection |
| Rubeus golden /rc4:[hash] | Forge TGT via .NET in-memory execution | krbtgt NTLM hash | Rubeus detection |
| Mimikatz / Rubeus ptt | Inject forged TGT into current Kerberos session | Forged .kirbi or in-memory ticket | HackTool - Mimikatz Kirbi File Creation, Uncommon Outbound Kerberos Connection |
| PowerShell Add-Type; [Kerberos]::RequestTicket | Request TGS for specific services post-injection | Active forged TGT in session | Request A Single Ticket via PowerShell |
| KrbRelayUp | Local privilege escalation via SYSTEM authentication relay | Low-privilege domain account on target machine | HackTool - KrbRelayUp Execution |
Business impact
- Persistence that outlasts all standard remediation. Resetting every domain user password, rotating every service account, and even performing a full domain admin account rebuild leaves a Golden Ticket untouched. The only actions that invalidate an outstanding Golden Ticket are rotating the krbtgt password twice within the ticket's lifetime. A single missed krbtgt rotation during incident response means the attacker retains access indefinitely, with a valid cryptographic credential that every Kerberos service in the domain will honor.
- Domain-wide access from a single credential. Where a Silver Ticket grants access to one service on one machine, a Golden Ticket grants access to every Kerberos-enabled service across the entire domain. File servers, domain controllers, database servers, mail servers, internal web applications, and remote management endpoints are all reachable using a single forged TGT. The blast radius is the entire domain.
- Impersonation of any user including non-existent ones. The forged TGT specifies a username but the KDC does not verify that the username corresponds to a real account in the directory. An attacker can authenticate as a username that does not exist in AD, making it impossible to trace activity back to a legitimate account and making post-incident attribution significantly harder.
- Invisibility to standard authentication monitoring. Event 4768 (TGT request) and Event 4769 (TGS request) appear normal when a Golden Ticket is used because the KDC validates the forged TGT successfully and issues a genuine TGS. Without specific monitoring for the anomalies listed in the diagram above, the forged authentication is indistinguishable from legitimate Kerberos traffic in standard authentication logs.
Detecting Golden Ticket attacks with Log360
Log360's eight detection rules for Golden Ticket attacks cover three detection layers. The first catches the tooling used to extract the krbtgt hash and forge tickets (Mimikatz execution signatures, .kirbi file creation, Rubeus execution). The second catches downstream Kerberos activity that uses the forged TGT (PowerShell ticket requests, anomalous Kerberos connections). The third catches relay attacks that compound the forged TGT access (KrbRelay, KrbRelayUp). For all endpoint-based rules, Sysmon must be deployed on domain-joined machines with process creation (Event 1) and file creation (Event 11) logging forwarding to Log360.
Hash extraction and ticket forging tool detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| HackTool - Mimikatz Kirbi File Creation | Critical | Windows | T1558 | Creation of a .kirbi file on disk, detected via Sysmon Event 11. Mimikatz writes .kirbi format files when creating or exporting Kerberos tickets using the /ticket parameter. The .kirbi file contains the complete forged TGT and can be reused across machines and sessions. Its creation in any user-accessible path is a high-confidence indicator of active ticket forging. Critical severity because .kirbi files represent portable, reusable forged credentials with no legitimate use in production environments. |
| HackTool - Mimikatz Execution | Trouble | Windows | T1003.001 | Mimikatz binary execution detected via Sysmon process creation. Mimikatz is the primary tool for both krbtgt hash extraction (lsadump::dcsync /user:krbtgt) and Golden Ticket forging (kerberos::golden). Detection at the process creation level provides the earliest possible alert in the attack chain, before the hash has been extracted or the ticket forged. |
| Mimikatz Detection | Critical | Windows | T1003 | Advanced behavioral rule covering Mimikatz execution via renamed binaries, reflective in-memory loading, and PowerShell-based invocation. Complements HackTool - Mimikatz Execution by catching obfuscated execution paths that bypass standard binary signature matching. Critical severity due to the scope of attacks Mimikatz enables, with Golden Ticket forging being among the highest-impact. |
| Rubeus detection | Critical | Windows | T1558.003 | Rubeus binary or in-memory execution via Sysmon process creation or behavioral signatures. Rubeus includes a dedicated golden command for TGT forging and a ptt command for ticket injection, making it a direct alternative to Mimikatz for Golden Ticket attacks. As a managed .NET assembly, Rubeus is often executed entirely in memory to avoid binary signature detection, making behavioral detection particularly important. |
Post-ticket Kerberos activity detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Uncommon Outbound Kerberos Connection | Trouble | Windows | T1558 | Kerberos authentication traffic to an unusual destination or with anomalous timing patterns. When a Golden Ticket is injected and used to request TGS tickets, the Kerberos traffic pattern may deviate from the baseline for that machine: requests from a machine that does not normally generate Kerberos TGT usage events, TGT presentations for accounts that have never authenticated from that machine, or Kerberos traffic to KDC addresses not associated with the account's domain. This rule provides the behavioral detection layer independent of specific tool signatures. |
| Request A Single Ticket via PowerShell | Trouble | Active Directory | T1558.003 | PowerShell command detected that requests a specific Kerberos service ticket, typically using the .NET Kerberos classes or the klist wrapper approach. Attackers use this technique post-Golden Ticket injection to programmatically request TGS tickets for target services (CIFS for file servers, HTTP for web apps, MSSQL for databases) using the forged identity, enabling scripted lateral movement across many services. Attention severity as PowerShell Kerberos ticket requests have some legitimate IT automation use cases; context from concurrent Mimikatz or Rubeus detections dramatically increases severity. |
Kerberos relay tool detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| HackTool - KrbRelay Execution | Trouble | Windows | T1558.003 | KrbRelay binary execution detected via Sysmon process creation. KrbRelay coerces SYSTEM-level Kerberos authentication from a Windows machine and relays it to a Kerberos-enabled service to gain privileged access or perform operations under the machine account's identity. Used in Golden Ticket attack chains to extend access to services not reachable via the forged TGT alone, or to acquire additional service tickets for relay to further targets. |
| HackTool - KrbRelayUp Execution | Trouble | Windows | T1558.003 | KrbRelayUp binary execution detected via Sysmon process creation. KrbRelayUp specifically targets local privilege escalation by relaying SYSTEM authentication to the local LDAP service to grant shadow credentials or DCSync rights to an attacker-controlled account. In a Golden Ticket context, KrbRelayUp is used to establish additional persistence mechanisms (shadow credentials) that survive a krbtgt password rotation, providing a fallback if the Golden Ticket is invalidated. |
Attack chain visibility
Golden Ticket attacks follow a consistent chain: krbtgt hash extraction, offline ticket forging, session injection, and domain-wide service access. The sequences below show the log record for the two most common operational variants.
Sequence A: Mimikatz DCSync to Golden Ticket to domain-wide access
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Windows Security Event 4662 on DC | DCSync operation targeting the krbtgt account. The replication control access GUIDs appear in the event properties. The source IP is not a DC. HackTool - Mimikatz Execution rule fires on the attacker's machine concurrently. This is the hash extraction step. | T+0 |
| 2 | Sysmon Event 11 on attacker host | A .kirbi file is created in a user-writable path. HackTool - Mimikatz Kirbi File Creation rule fires. The Golden Ticket has been forged and written to disk for use or exfiltration. | T+2 min |
| 3 | Windows Security Event 4768 on DC (TGT request) | A TGT is requested at the KDC using the forged ticket via pass-the-ticket. The KDC validates the forged TGT using the real krbtgt key and finds it valid. The event appears normal. Uncommon Outbound Kerberos Connection fires if the requesting machine has no prior history of this account's Kerberos activity. | T+3 min |
| 4 | Windows Security Event 4769 on DC (TGS requests) | Rapid TGS requests for multiple services (CIFS on multiple servers, HTTP, MSSQL) follow in quick succession from the same source. Request A Single Ticket via PowerShell fires if PowerShell is used to script the TGS requests. The attacker is mapping and accessing services across the domain. | T+3 to T+30 min |
Sequence B: Rubeus in-memory Golden Ticket with KrbRelayUp persistence backup
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Sysmon Event 1 on attacker host | Rubeus.exe executes. Rubeus detection rule fires. The command includes the golden sub-command with the krbtgt hash and target domain SID. The forged TGT is created entirely in memory, generating no .kirbi file on disk. | T+0 |
| 2 | Sysmon Event 1 on a low-privilege machine | KrbRelayUp executes on a different machine where the attacker has limited access. HackTool - KrbRelayUp Execution fires. The attacker is establishing shadow credential persistence on this machine as a fallback in case the Golden Ticket is invalidated by a krbtgt rotation. | T+15 min |
| 3 | Windows Security Event 5136 on DC (AD attribute write) | The msDS-KeyCredentialLink attribute on the machine's AD object is modified by the KrbRelayUp relay. Shadow credentials are now written, providing a PKINIT-based authentication path independent of the Golden Ticket. | T+16 min |
Investigation playbook
Golden Ticket investigations must address two simultaneous objectives: understanding the current scope of access the attacker has obtained via the forged TGT, and executing the krbtgt double rotation that invalidates all outstanding Golden Tickets before the attacker uses them further. These two objectives are in tension because krbtgt rotation, while necessary, can disrupt legitimate Kerberos authentication and requires careful timing.
Step 1: Triage - identify which rule fired and the chain so far
| Rule that fired | Attack phase | Most urgent action |
|---|---|---|
| HackTool - Mimikatz Execution or Mimikatz Detection | Early: hash extraction or forging may be in progress | Isolate the machine running Mimikatz immediately. Check Sysmon Event 1 command line arguments to determine if DCSync or kerberos::golden commands were used. Check for concurrent Event 4662 on any DC from the same source IP. |
| HackTool - Mimikatz Kirbi File Creation | Forging complete: Golden Ticket written to disk | Identify the .kirbi file path. Determine the ticket type (TGT for Golden, or TGS for Silver) from file metadata if accessible. Assume the krbtgt hash is compromised. Begin preparing the krbtgt double rotation. Check whether the .kirbi file has been exfiltrated. |
| Rubeus detection | Forging in progress (in-memory, no .kirbi file) | Isolate the host. Identify Rubeus arguments from Sysmon Event 1. If golden subcommand detected, assume krbtgt hash is compromised. No .kirbi file may exist, making disk forensics less useful; focus on memory forensics and network activity. |
| Uncommon Outbound Kerberos Connection | Golden Ticket in active use | Identify source host and the account name in the Kerberos request. Check whether that account exists in AD. Check Event 4768 and 4769 on DCs for the same source IP for anomalous ticket lifetimes or non-existent usernames. Confirm Golden Ticket use before triggering the krbtgt rotation. |
| Request A Single Ticket via PowerShell | Post-injection service access scripted | Check for concurrent Mimikatz or Rubeus detection on the same host. If present, treat as confirmed Golden Ticket lateral movement. Identify which services are being accessed via the PowerShell TGS requests. |
| HackTool - KrbRelayUp Execution | Persistence backup being established | Check AD for msDS-KeyCredentialLink writes on the machine's AD object. If shadow credentials were added, remove them. Treat as a signal that the attacker is expecting their Golden Ticket to be invalidated soon. |
Step 2: Confirm krbtgt hash compromise
- Query Windows Security Event 4662 on all domain controllers for the past 7 days, filtered for the DS-Replication-Get-Changes and DS-Replication-Get-Changes-All access rights GUIDs. Any instance where the source IP is not a domain controller is a DCSync operation targeting AD credentials. If the krbtgt account is referenced in these events, treat it as confirmed compromised.
- Check Sysmon Event 10 (process access) on domain controllers for lsass.exe access from non-Microsoft processes. A direct LSASS memory dump on a DC yields the krbtgt hash without generating Event 4662. Any non-standard process accessing DC LSASS memory should be treated as a credential extraction attempt.
- Query Event 4768 on all DCs for TGT requests with anomalous characteristics: ticket lifetime greater than the domain's configured TGT lifetime (default 10 hours), usernames that do not exist in AD, or encryption type inconsistencies. These are the in-Kerberos indicators of Golden Ticket use.
Step 3: Investigate using the Incident Workbench
- Click on the affected hostname or account in the alert to open the Incident Workbench. Use the Process analytics tab on the machine where Mimikatz or Rubeus ran to view the full process tree. This reveals the prior compromise chain: how the attacker obtained domain admin access before extracting the krbtgt hash, which determines the full scope of the preceding intrusion.
- Use the User analytics tab for any accounts referenced in the Kerberos anomaly events. If the impersonated account has a UEBA baseline, its risk score will spike due to authentication from unexpected machines and access to services outside the normal baseline. If the impersonated account does not exist in AD, the UEBA profile will be absent, which is itself a confirming signal of a forged non-existent account name.
- Use Advanced Threat Analytics on the source IP used for DCSync or for Kerberos authentication post-Golden Ticket to check threat feed context and confirm whether the IP is associated with known attack infrastructure.
- Save the Incident Workbench session to an incident immediately. Golden Ticket incidents require executive notification, and the session documents the evidence chain from krbtgt extraction through service access for those communications.
Step 4: Assess the full scope of Golden Ticket access
- Identify the earliest confirmed evidence of krbtgt hash compromise from DCSync events or LSASS access. Treat every domain service access from the attack source IP after that timestamp as potentially Golden Ticket-based.
- Review Event 4769 (TGS request) on all DCs for TGS requests sourced from the attack IP or from machines where Mimikatz/Rubeus ran. Each TGS request identifies a specific service that was accessed using the forged identity. Enumerate all services reached.
- Check whether any of the services accessed during the Golden Ticket window hold sensitive data: file servers, database servers, mail servers, or code repositories. Those services require their own scope assessment regarding data accessed or exfiltrated during the forged session.
- Check for KrbRelayUp activity and msDS-KeyCredentialLink writes to determine whether shadow credential persistence was established. If so, identifying and removing all shadow credentials must be part of the remediation.
Step 5: Collect evidence and build the timeline
- Export Windows Security Event 4662 from all DCs for the attack window. These records are the primary evidence of krbtgt hash extraction via DCSync and document which account performed the replication operation and from which IP.
- Export Sysmon Event 1 (process creation with full command line) from the compromised host. The Mimikatz or Rubeus command line is the most direct evidence of the forging operation.
- Export Event 4768 and 4769 from all DCs for the attack window. Look for anomalous ticket lifetimes, non-existent account names, and TGS requests for services that are inconsistent with the impersonated account's normal role.
- Export the Incident Workbench session timeline and UEBA risk scores as the compliance record for NIST CSF DE.AE-5 incident analysis and for executive and legal stakeholder reporting.
Response and remediation
Immediate containment
- Isolate the machine where Mimikatz or Rubeus ran. This terminates any active forged sessions using tickets in that machine's Kerberos cache and prevents the attacker from forging additional tickets from the same operational platform.
- Perform a double krbtgt password rotation. This is the only action that invalidates outstanding Golden Tickets. The rotation must be performed twice, with the two rotations separated by the maximum Kerberos ticket lifetime in the domain (default 10 hours), to ensure all outstanding TGTs issued before the first rotation have expired. Single krbtgt rotation is insufficient because Golden Tickets are validated against the previous password hash which remains cached on DCs for one ticket lifetime. Use Microsoft's documented procedure for this operation. Plan the rotation to occur during a low-activity window as it will cause all existing TGTs to be invalidated and all users to need to re-authenticate.
- Remove any shadow credentials (msDS-KeyCredentialLink entries) added via KrbRelayUp or KrbRelay. These provide an independent authentication path that survives krbtgt rotation. Audit the attribute on all high-value AD objects including Domain Controllers, admin accounts, and service accounts.
- Revoke all active sessions for any account names impersonated in confirmed Golden Ticket authentications. While these are forged identities, any legitimate sessions those accounts have open may have been used alongside the forged sessions and should be refreshed.
Response actions by trigger
| Trigger | Immediate action | Owner |
|---|---|---|
| HackTool - Mimikatz Execution + concurrent Event 4662 (DCSync of krbtgt) | Confirmed krbtgt extraction. Isolate machine. Begin preparing double krbtgt rotation. Notify CISO. Identify all downstream access. | SOC L3 + AD Team + CISO |
| HackTool - Mimikatz Kirbi File Creation | Golden or Silver Ticket forged and on disk. Treat krbtgt as compromised until confirmed otherwise. Check for DCSync events. Initiate krbtgt rotation procedure. | SOC L3 + Incident Response |
| Rubeus detection with golden subcommand argument | In-memory Golden Ticket forging. No disk artifact, but krbtgt hash confirmed used. Treat as krbtgt compromise. Isolate machine. Initiate krbtgt rotation. | SOC L3 + Incident Response |
| Uncommon Outbound Kerberos Connection with anomalous TGT properties | Golden Ticket actively in use. Confirm anomaly (check ticket lifetime and account existence in AD). If confirmed, declare full domain compromise incident. | CISO + Incident Response + AD Team |
| HackTool - KrbRelayUp Execution with confirmed shadow credential write | Remove shadow credentials from affected AD objects. Treat as signal attacker expects Golden Ticket to be invalidated. Check for other persistence mechanisms. | SOC L3 + AD Team |
Hardening
- Implement a regular krbtgt password rotation schedule. Microsoft recommends rotating the krbtgt password every 180 days at minimum. In practice, most organizations never rotate it at all. Establishing a documented rotation procedure and testing it reduces the window of Golden Ticket validity in the event of a future compromise.
- Restrict DCSync rights to domain controller machine accounts only. The DS-Replication-Get-Changes and DS-Replication-Get-Changes-All permissions on the domain object should only be held by DC machine accounts. Any user account with these permissions represents a DCSync risk. Audit these permissions via Get-ADObject and remove any non-DC account grants.
- Deploy Credential Guard on all domain-joined endpoints including servers. Credential Guard prevents Mimikatz from reading LSASS memory directly, blocking the LSASS-based krbtgt hash extraction path. Combined with DCSync right restrictions, it eliminates both primary hash acquisition methods.
- Enable Protected Users security group membership for the krbtgt account (where supported). Protected Users restrictions limit the encryption types and delegation settings available for group members, making certain hash extraction approaches more difficult.
- Monitor Event 4662 for non-DC replication in real time. Any DCSync operation from a non-DC source should trigger an immediate alert regardless of the target account. This event class is one of the clearest signals of domain-level credential theft in progress.
False positive tuning
| False positive source | Rules affected | Tuning strategy |
|---|---|---|
| Authorized penetration testing and red team exercises | All 8 detection rules | Create time-bounded exceptions scoped to the authorized assessment source IP range and tied to the approved change ticket. Mimikatz Kirbi File Creation and Rubeus detection should never have permanent production exclusions. Remove all exceptions immediately when the assessment window closes. |
| Azure AD Connect and legitimate AD replication services | Uncommon Outbound Kerberos Connection | Azure AD Connect, ADFS, and multi-site DC replication generate legitimate Kerberos activity that may appear anomalous to behavioral rules. Document the source IPs and account names used by these services. Create scoped exceptions for the specific source IP and account combinations. Alert on any Kerberos anomaly from sources not in this documented set. |
| Security operations tools using Kerberos ticket inspection | HackTool - Mimikatz Kirbi File Creation | Authorized security tooling such as ticket inspection utilities or credential scanning tools may create .kirbi format files as part of legitimate security operations. Create an allowlist scoped to the specific authorized tool binary path and the specific authorized user account. Any .kirbi creation from outside this allowlist should always alert regardless of context. |
| PowerShell administrative automation using Kerberos ticket requests | Request A Single Ticket via PowerShell | IT automation scripts may use PowerShell to request Kerberos tickets for service health checks or connectivity tests. Allowlist specific PowerShell scripts by their content hash or execution path, and scope the allowlist to the specific service accounts that run these scripts. Alert on any PowerShell Kerberos ticket request from accounts or machines not in the allowlist, particularly when concurrent Mimikatz or Rubeus activity has been detected. |
