* [Blog](https://origin-researchcenter.paloaltonetworks.com/blog) * [Security Operations](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/) * [Must-Read Articles](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/category/must-read-articles/) * Detecting and Preventing ... # Detecting and Preventing the Path to a Golden Ticket With Cortex XDR [](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr%2F) [](https://twitter.com/share?text=Detecting+and+Preventing+the+Path+to+a+Golden+Ticket+With+Cortex+XDR&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr%2F) [](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Forigin-researchcenter.paloaltonetworks.com%2Fblog%2Fsecurity-operations%2Fdetecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr%2F&title=Detecting+and+Preventing+the+Path+to+a+Golden+Ticket+With+Cortex+XDR&summary=&source=) [](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr/&ts=markdown) \[\](mailto:?subject=Detecting and Preventing the Path to a Golden Ticket With Cortex XDR) Link copied By [Gavriel Fried](https://www.paloaltonetworks.com/blog/author/gavriel-fried/?ts=markdown "Posts by Gavriel Fried") and [Aviad Meyer](https://www.paloaltonetworks.com/blog/author/aviad-meyer/?ts=markdown "Posts by Aviad Meyer") May 25, 2022 17 minutes [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [certificate](https://www.paloaltonetworks.com/blog/tag/certificate/?ts=markdown) [Cortex](https://www.paloaltonetworks.com/blog/tag/cortex/?ts=markdown) [Cortex XDR](https://www.paloaltonetworks.com/blog/tag/cortex-xdr/?ts=markdown) [DCSync](https://www.paloaltonetworks.com/blog/tag/dcsync/?ts=markdown) [Golden Ticket](https://www.paloaltonetworks.com/blog/tag/golden-ticket/?ts=markdown) [Kerberos](https://www.paloaltonetworks.com/blog/tag/kerberos/?ts=markdown) [Mimikatz](https://www.paloaltonetworks.com/blog/tag/mimikatz/?ts=markdown) [pass the ticket](https://www.paloaltonetworks.com/blog/tag/pass-the-ticket/?ts=markdown) [Privilege Escalation](https://www.paloaltonetworks.com/blog/tag/privilege-escalation/?ts=markdown) [Rubeus](https://www.paloaltonetworks.com/blog/tag/rubeus/?ts=markdown) [ShadowCoerce](https://www.paloaltonetworks.com/blog/tag/shadowcoerce/?ts=markdown) This post is also available in: [日本語 (Japanese)](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-and-preventing-the-path-to-a-golden-ticket-with-cortex-xdr/?lang=ja "Switch to Japanese(日本語)") ## **Executive Summary** The "[Golden Ticket](https://attack.mitre.org/techniques/T1558/001/)" attack introduced by Benjamin Delpy has been giving defenders quite the hard time. The technique can be rather evasive due to its nature as a post-exploitation technique that can blend into daily network activities. The attack allows an adversary to gain unconstrained access to all services and resources within an [Active Directory (AD)](https://en.wikipedia.org/wiki/Active_Directory) domain using a forged Kerberos ticket known as the "Golden Ticket". In this blog post, we'll briefly explain what Kerberos and a Golden Ticket are and an attacker's motivation for performing a Golden Ticket attack. Then we will present some existing methods for detecting the technique and their caveats. To finish, we will demonstrate two methods of "Golden Ticket" containment and creation and explain how customers can detect and prevent the methods leading to the "Golden Ticket" using Cortex XDR. ## **What is a Golden Ticket?** ### **Kerberos Refresher** [Kerberos]() is a network authentication protocol that is primarily used in Active Directory environments. It provides strong authentication by issuing tickets to authenticate users and allow access to services. The tickets are distributed by the [key distribution center (KDC)](https://www.techopedia.com/definition/12883/key-distribution-center-kdc-cryptography). In most environments, the KDC is installed on the [domain controller (DC)](https://en.wikipedia.org/wiki/Domain_controller). During the initial authentication, a [Ticket Granting Ticket (TGT)](https://doubleoctopus.com/security-wiki/authentication/ticket-granting-tickets/) is a ticket assigned to a user. The TGT is later used to authenticate the user to the KDC and request a service ticket from the [Ticket Granting Service (TGS)](). Service tickets are granted for authentication against services. A Kerberos authentication would consist of the following steps: 1. The user requests *(AS-REQ)* a TGT from the KDC and the KDC verifies and validates the credentials and user information. 2. After authenticating the user, the KDC sends an encrypted TGT back to the requester *(AS-REP)*. 3. The user presents the TGT to the DC and requests a TGS *(TGS-REQ)*. 4. The TGS is encrypted and sent back to the requesting user *(TGS-REP)*. 5. The user connects to the server hosting the service requested and presents the TGS *(AP-REQ)* in order to access the service. 6. The application server sends an *(AP-REP)* to the client. ![Visio-KerberosComms](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/visio-kerberoscomms.png) *Kerberos authentication -* [*Image Source*](https://adsecurity.org/?p=1515) ### **Golden Ticket - Attacker Incentive** A Golden Ticket is a forged TGT that is generated without proper authentication and would seem "pre-authenticated", using it as false proof that authentication was performed in order to request a TGS. Using this ticket will give an attacker access to resources or allow them to execute attacks without real authentication. For example, access to all computers, files and folders in the domain. In order to understand why and how this is possible, we will understand what the [KRBTGT](https://adsecurity.org/?p=483) account is. [Microsoft TechNet]() states: *"The KRBTGT account is a local default account that acts as a service account for the Key Distribution Center (KDC) service. This account cannot be deleted, and the account name cannot be changed. The KRBTGT account cannot be enabled in Active Directory.* *KRBTGT is also the security principal name used by the KDC for a Windows Server domain, as specified by RFC 4120. The KRBTGT account is the entity for the KRBTGT security principal, and it is created automatically when a new domain is created.* *Windows Server Kerberos authentication is achieved by the use of a special Kerberos ticket-granting ticket (TGT) enciphered with a symmetric key. This key is derived from the password of the server or service to which access is requested. The TGT password of the KRBTGT account is known only by the Kerberos service. In order to request a session ticket, the TGT must be presented to the KDC. The TGT is issued to the Kerberos client from the KDC."* More plainly, the KRBTGT account encrypts and signs all the Kerberos TGT tickets for the domain. And all verification of Kerberos tickets, including encrypting and decrypting TGTs for the KDC service, is done by the KRBTGT. This means a forged TGT will be considered a valid ticket simply because it was encrypted with the KRBTGT account. A Kerberos authentication with a "Golden Ticket" would look like this: ![Kerberos authentication with a “Golden Ticket” no AS-REQ and AS-REP - Image Source](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/visio-goldenticket-comms.png) *Kerberos authentication with a "Golden Ticket" no AS-REQ and AS-REP -* [*Image Source*](https://adsecurity.org/?p=1515) Needless to say, a Golden Ticket can be a prized goal for an attacker. With the gained Golden Ticket the offender has full access to all resources with high privileges throughout the domain. ### **What is Required to Perform a "Golden Ticket" Attack?** Once an attacker has a foothold on the network they can proceed with the Golden Ticket generation. To generate a Golden Ticket, an attacker will need the following: * The [Fully Qualified Domain Name](https://en.wikipedia.org/wiki/Fully_qualified_domain_name) (FQDN) of the domain. * The [Security Identifier](https://en.wikipedia.org/wiki/Security_Identifier) (SID) of the domain. * The KRBTGT password hash. * The username of the account they want to impersonate. Presuming the attacker with a foothold on the network can easily find the FQDN, we will cover ways the attacker can obtain the KRBTGT password hash and the domain SID later on. ### **Existing Golden Ticket Detections - Caveats** There are several existing Golden Ticket detections out there, but they come with caveats due to the nature of the attack and the detection method limitations. ### **TGS Request Without a TGT Request** One detection proposed is to look for a TGS request event log ([EID 4769](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769)) without a TGT request ([EID 4768](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768)), but there are a number of caveats to this detection: When dealing with big data it is very easy to lose some events or pieces of information in the analysis or monitoring process. In such cases, this logic can produce false positives and confuse or mislead security operations analysts. Another issue can be that the TGT has a long lifetime before expiring and the detection might consider the time delta between the TGT request to the TGS request as an indicator for a "Golden Ticket", causing a false positive. When considering environments with multiple DCs, a user might request a TGT from one DC, and the TGS will be requested from another DC. For this possible flow, there might be monitoring on one of the DCs and not on the other which can lead to a possible TGS without TGT assumed case. ### **TGT tickets with an Arbitrary Lifetime, a Blank or Fake Domain, or Account Name** A different approach is to look for anomalies in the TGT itself, for example, an arbitrary lifetime or a forged domain or account name, thus indicating that it might be fake. The main issue with these detections is that they rely on an attacker to make a mistake with the Golden Ticket. If the attacker is engaged in the attack, these detections will not help detect a Golden Ticket. ### **How Can Cortex XDR Help You Detect Golden Ticket Attacks?** Cortex XDR leverages multiple data sources, behavioral detections and behavioral analytics to detect the potential attack throughout its phases. We will now show some examples of how an attacker can obtain and generate a Golden Ticket and see how Cortex XDR prevents and detects the various steps of the attack. The examples were conducted while the agent is in report mode in order to see the full attack chain. In standard cases, the agent Behavioral Threat Protection (BTP) rules will prevent and block the attack phases. ### **Obtaining a Golden Ticket - Method 1: Local NTDS.dit dump** One method for an attacker to generate a Golden Ticket attack is by dumping the Active Directory database (NTDS.dit) and extracting the information needed for the generation. This will be done by creating a shadow copy on the DC in order to obtain the NTDS.dit file. The file will be parsed to extract the KRBTGT hash and domain SID. Then Mimikatz can be used to generate the Golden Ticket. This method requires access to an [NTDS.dit](https://www.windowstechno.com/what-is-ntds-dit/) file or access to the DC. Breakdown: The NTDS.dit file is the database that stores the Active Directory data, including information about groups, group memberships and user objects. It also includes the password hashes for all the users in the domain. Meaning, the KRBTGT hash is there as well. In order to fetch the password hash of the KRBTGT account, an attacker will need a copy of the NTDS.dit file. But, copying the NTDS.dit file is not as simple as just copying the file. Since the database is constantly used by Active Directory it is locked and a standard copy cannot be performed. One way to create a copy of the NTDS.dit is by making a [Volume Shadow Copy.](https://en.wikipedia.org/wiki/Shadow_Copy) A shadow copy is a backup copy or snapshot of the computer volumes or files even while being in use. With that understanding, it is possible to create a NTDS.dit copy by leveraging the shadow copy mechanism. Microsoft has a built-in utility for making shadow copies named [Volume Shadow Copy Service (VSS)](https://docs.microsoft.com/en-us/windows-server/storage/file-server/volume-shadow-copy-service). The attack will begin with the adversary making a shadow copy on the DC with VSS. Then, the attacker will retrieve an NTDS.dit copy from the shadow copy and additionally copy the [SYSTEM registry hive](https://docs.microsoft.com/en-us/windows/win32/sysinfo/registry-hives). The reason for copying the SYSTEM registry hive is that it contains the [BootKey/SysKey](https://en.wikipedia.org/wiki/Syskey). This BootKey is an encryption key that is used to encrypt sensitive information like the NTDS.dit, machine account passwords or system certificates, etc. The attacker will use this BootKey to decrypt the NTDS.dit in order to read its contents. Next, the offender will extract the KRBTGT data from the NTDS.dit copy. After the KRBTGT and SID data are acquired, a Golden Ticket can be generated. ### **Attacker Flow** In order to follow this flow, we start with an attacker that has gained access to a DC and can create a shadow copy. First, the attacker will need to create the shadow copy with VSS: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-2.jpeg) *Creating a shadow copy with VSSAdmin* After the shadow copy is created, the NTDS.dit is retrieved: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-3.jpeg) *Retrieving the NTDS.dit from the shadow copy* Then the SYSTEM registry hive needs to be copied: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-4.jpeg) *Copying the SYSTEM registry hive* The attacker can delete their tracks of the shadow copy: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-5.jpeg) *Deleting the tracks of making a shadow copy* Now the attacker will use the PowerShell module [DSInternals](https://www.dsinternals.com/en/downloads/) to get the BootKey/Syskey from the saved SYSTEM registry hive: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-6.jpeg) *Getting the BootKey from the SYSTEM registry hive copy* When getting the NTDS.dit from a shadow copy it will need a repair in most cases. So the attacker will repair the NTDS.dit with the [esentutl]() utility: **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-7.jpeg)** *Repairing the NTDS.dit from the shadow copy* After the repair, the KRBTGT data can be extracted from the NTDS.dit copy with DSInternals: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-8.jpeg) *Extracting the KRBTGT data from the NTDS.dit repaired copy* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-9.jpeg) *The extracted KRBTGT data* With the KRBTGT and domain data, the attacker generates a "Golden Ticket" with Mimikatz: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-10.jpeg) *Generating a Golden Ticket with mimikatz* **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-11.jpeg)** *The Golden Ticket generated* ### **Cortex XDR Alerts and Insights** With Cortex XDR we can see several alerts and insights triggered by the different stages of the attack flow. When creating Volume Shadow Copy and dumping the SYSTEM registry hive, Cortex XDR alerts and insights as follows: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-12.jpeg) *Alerts regarding the creation of the Volume Shadow Copy and SYSTEM registry hive dump* We can see the causality chain of the dump: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-13.jpeg) *Causality chain of dumping the SYSTEM registry hive* Additional BTP rules regarding the SYSTEM registry hive dump and NTDS.dit access (extraction from the shadow copy): **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-14.jpeg)** *Save key HKLM\\SYSTEM in a suspicious way - triggered by saving the SYSTEM hive* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-15.jpeg) *Suspicious access to NTDS.dit* The Identity Analytics Module provides the following insights regarding the execution of esentutl: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-16.jpeg) *Rare process execution + Rare LOLBIN Process Execution - triggered by the esentutl NTDS.dit repair* For Mimikatz's execution we have the following: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-17.jpeg) *Various alerts for Mimikatz regarding the tool execution and Kerberos ticket injection* We can see the causality chain for Mimikatz's Kerberos ticket injection: **![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-18.jpeg)** *Causality chain of Mimikatz's ticket injection* | **Alert Name** | **Alert Source** | | Creation of Volume Shadow Copy using vssadmin.exe | XDR BIOC | | Dumping Registry hives with passwords | XDR BIOC | | Behavioral threat detected - Save key HKLM\\SYSTEM in suspicious way | XDR Agent | | Suspicious access to NTDS.dit | XDR BIOC | | Rare LOLBIN Process Execution by User | XDR Analytics BIOC, Identity Analytics Module | | Rare process execution in organization | XDR Analytics BIOC, Identity Analytics Module | | Rare process execution by user | XDR Analytics BIOC, Identity Analytics Module | | Suspicious Process Creation | XDR Agent | | WildFire Malware | XDR Agent | | Behavioral threat detected - Mimikatz process start | XDR Agent | | Behavioral threat detected - Inject Kerberos ticket | XDR Agent | |----------------------------------------------------------------------|-----------------------------------------------| ### **Method 2: DCSync** Another method that an attacker can use in order to generate a Golden Ticket attack is by abusing the [File Server Remote VSS (MS-FSRVP)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-fsrvp/dae107ec-8198-4778-a950-faa7edad125b) with [ShadowCoerce](https://github.com/ShutdownRepo/ShadowCoerce), and the [Active Directory Certificate Services (ADCS)]() in order to obtain a DC machine account certificate. Once the abuser has the DC certificate, they can authenticate as the DC to perform a [DCSync](https://attack.mitre.org/techniques/T1003/006/) and get the KRBTGT data in order to create a Golden Ticket. This method is an example of escalating privileges from a low privileged user to a Golden Ticket with full access to the domain resources. Breakdown: ShadowCoerce is a tool that abuses the MS-FSRVP [RPC](https://en.wikipedia.org/wiki/Microsoft_RPC). When using the methods of IsPathSupported and IsPathShadowCopied, a server running MS-FSRVP can be coerced to authenticate as the machine account against a certain host over the [Server Message Block (SMB)](https://en.wikipedia.org/wiki/Server_Message_Block) protocol. An attacker can set up a listener for SMB authentications using [ntlmrelayx](https://github.com/SecureAuthCorp/impacket/blob/master/examples/ntlmrelayx.py) as a [relay server](https://attack.mitre.org/techniques/T1557/001/). Once the SMB authentication is captured, the relay server will relay the authentication to the ADCS server in order to get a certificate for the coerced machine account. *\* Learn more about ADCS authentication and abuse -* [*Detecting Active Directory Certificate Services Abuse with Cortex XDR*](https://www.paloaltonetworks.com/blog/security-operations/detecting-active-directory-certificate-services-abuse-with-cortex-xdr/) Once the abuser has the machine account certificate, they can use the certificate to request a TGT from the DC. With the TGT, the attacker can authenticate as the highly privileged machine account with "[Pass the Ticket](https://attack.mitre.org/techniques/T1550/003/)". These steps are done with [Rubeus](https://github.com/GhostPack/Rubeus). The premise is that the attacker will coerce a DC to authenticate to the relay server, thus allowing them to authenticate as the DC. While authenticated as a DC, the offender can perform a DCSync. *In short, a DCSync is a domain controller replication technique. Abusing it can allow an offender to pull password data and hashes including the KRBTGT hash.* Once the DCSync is executed, the offender can extract the KRBTGT hash and the SID of the domain. Combining these with the FQDN of the domain the offender can now create a Golden Ticket. With said Golden Ticket, the attacker can now access all the resources in the domain. ### **Attacker Flow** In order to follow this flow, we start with an attacker that has gained access to a machine in the domain with ADCS, a MS-FSRVP server, and a relay machine. First, the attacker will set up a relay server that will wait for SMB authentication, and will relay them to the ADCS server: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-19.jpeg) *Setting up the relay server with ntlmrelayx* After the relay server is set and awaiting the authentication, the attacker will use ShadowCoerce to coerce the DC to authenticate against the relay server: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-20.jpeg) *Abuse of MS-FSRVP relaying authentication to the relay server* The relay server relays the authentication to the ADCS server, and a certificate is obtained: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-21.jpeg) *Relay server relayed authentication to ADCS for a certificate* With the certificate at hand, the abuser gets a TGT for the DC machine account with Rubeus using "Pass the Ticket": ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-22.jpeg) *Getting a TGT for the DC machine account with Rubeus* The attacker has successfully managed to get a TGT for the DC's machine account: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-23.jpeg) *Rubeus successfully got a TGT for the DC machine account* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-24.jpeg) *Showing the obtained TGT with klist* Next, the attacker will use [Mimikatz](https://attack.mitre.org/software/S0002/) to perform a DCSync in order to get the KRBTGT hashes and the domain SID: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-25.jpeg) *Performing a DCSync with mimikatz* Finally, a Golden Ticket can be generated using the domain FQDN, SID and the KRBTGT NTLM hash with "Pass the Ticket": ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-26.jpeg) *Generating a Golden Ticket with mimikatz* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-27.jpeg) *Output of the successful Golden Ticket* The attacker now has access to the resources in the domain: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-28.jpeg) *Access to the Domain Controller's C drive* ### **Cortex XDR Alerts and Insights** With Cortex XDR we can see several alerts and insights triggered by the different stages of the attack flow. When executing ShadowCoerce, Cortex XDR alerts and insights as follows: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-29.jpeg) *Rare signature signed executable executed on the network - triggered by ShadowCoerce execution via CMD* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-30.jpeg) *Suspicious usage of File Server Remote VSS Protocol (FSRVP) - triggered by ShadowCoerce abuse* We can see the causality chain of the FSRVP abuse on the victim server: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-31.jpeg) *Causality chain of the FSRVP abuse with ShadowCoerce* Additionally, the following alerts trigger regarding the SMB traffic from ShadowCoerce and the coerced SMB authentication to the relay server: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-32.jpeg) *SMB Traffic from Non-Standard Process - triggered by ShadowCoerce* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-33.jpeg) *Causality chain of SMB Traffic from Non-Standard Process* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-34.jpeg) *Suspicious SMB connection from domain controller - triggered by the coerced authentication* ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-35.jpeg) *Causality chain of Suspicious SMB connection from domain controller* The Rubeus execution triggered the following alerts and BTP prevention rules: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-36.jpeg) *Various alerts for Rubeus regarding the tool execution and Kerberos interactions* The Identity Analytics Module provides the following insights regarding the execution of Rubeus and klist: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-37.jpeg) *Rare process execution by user and in the organization - triggered by Rubeus an klist execution* Because a TGT for the DC machine account was requested on a machine that is not the DC, the following alert fires: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-38.jpeg) *TGT request with a spoofed sAMAccountName - Event log - triggered by TGT request for the DC's machine account* As for Mimikatz's execution, we have: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-39.jpeg) *Various alerts for Mimikatz regarding the tool execution* Additionally an Identity Analytics Module insight was triggered: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-40.jpeg) *Rare process execution by user - triggered by Mimikatz* We can see the causality chain for both the Rubeus ticket injection and Mimikatz's execution: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-41.jpeg) *Causality chain of Rubeus ticket injection and Mimikatz's execution* Lastly, DCSync is blocked by a BTP rule: ![](https://www.paloaltonetworks.com/blog/wp-content/uploads/2022/05/word-image-42.jpeg) *DCSync alert* | **Alert Name** | **Alert Source** | | Rare signature signed executable executed in the network | XDR Analytics BIOC | | Suspicious usage of File Server Remote VSS Protocol (FSRVP) | XDR Analytics BIOC | | SMB Traffic from Non-Standard Process | XDR Analytics BIOC | | Suspicious SMB connection from domain controller | XDR Analytics BIOC | | WildFire Malware | XDR Agent | | Behavioral threat detected - Inject Kerberos ticket | XDR Agent | | Rubeus tool execution | XDR BIOC | | Kerberos Traffic from Non-Standard Process | XDR Analytics BIOC | | Potentially Dangerous Tool - Rubeus tool used for raw Kerberos interaction and abuses. | XDR Agent | | Rare process execution by user | XDR Analytics BIOC, Identity Analytics Module | | Rare process execution in organization | XDR Analytics BIOC, Identity Analytics Module | | TGT request with a spoofed sAMAccountName - Event log | XDR Analytics BIOC, Identity Analytics Module | | Suspicious Process Creation | XDR Agent | | Behavioral threat detected - Mimikatz process start | XDR Agent | | Credential Gathering - DCSync attack | XDR Agent | |----------------------------------------------------------------------------------------|-----------------------------------------------| ## **Conclusion** The Golden Ticket attack gives an adversary unrestricted access to all resources in the domain. Our recommendation is to create a security policy that limits access paths to the DC, implementing a least privilege model. In addition, deploying a security platform such as Cortex XDR will provide an additional layer of protection and visibility to the various stages of the attack. Want to learn more about Cortex XDR? Visit the [Cortex XDR webpage](https://www.paloaltonetworks.com/cortex/cortex-xdr) or read the [Essential Guide to XDR](https://start.paloaltonetworks.com/essential-guide-to-xdr.html). *** ** * ** *** ## Related Blogs ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown) [#### Detecting Active Directory Certificate Services Abuse with Cortex XDR™](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-active-directory-certificate-services-abuse-with-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### Detecting the Kerberos noPac Vulnerabilities with Cortex XDR™](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/detecting-the-kerberos-nopac-vulnerabilities-with-cortex-xdr/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Uncategorized](https://www.paloaltonetworks.com/blog/category/uncategorized/?ts=markdown) [#### From ILOVEYOU to AI Defenders -- 25 Years of Email Evolution](https://origin-researchcenter.paloaltonetworks.com/blog/security-operations/from-iloveyou-to-ai-defenders-25-years-of-email-evolution/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown), [Unit 42](https://unit42-dev2.paloaltonetworks.com), [Web Security](https://www.paloaltonetworks.com/blog/category/web-security/?ts=markdown) [#### Unit 42 Strikes Oil in MITRE Engenuity Managed Services Evaluation](https://origin-researchcenter.paloaltonetworks.com/blog/2022/11/unit-42-mitre-managedservices-2022/) ### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown), [Product Features](https://www.paloaltonetworks.com/blog/security-operations/category/product-features/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### Data Expertise Is the Foundation of Good Threat Detection](https://origin-researchcenter.paloaltonetworks.com/blog/2022/07/the-foundation-of-good-threat-detection/) ### [Announcement](https://www.paloaltonetworks.com/blog/category/announcement/?ts=markdown), [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [News and Events](https://www.paloaltonetworks.com/blog/security-operations/category/news-and-events/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown) [#### On Fire! CRN Names PAN One of the 10 Hottest XDR Security Companies](https://origin-researchcenter.paloaltonetworks.com/blog/2022/02/one-of-the-10-hottest-xdr-security-companies/) ### Subscribe to Security Operations Blogs! Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more. ![spinner](https://origin-researchcenter.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up Please enter a valid email. By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder. This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply. {#footer} {#footer} ## Products and Services * [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown) * [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown) * [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown) * [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown) * [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown) * [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown) * [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown) * [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown) * [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown) * [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown) * [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown) * [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown) * [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown) * [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown) * [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown) * [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown) * [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown) * [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown) * [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown) * [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown) * [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown) * [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown) * [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown) * [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown) * [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown) * [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown) * [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown) * [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown) * [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown) * [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown) * [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown) * [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown) * [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown) * [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown) * [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown) * [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown) * [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown) * [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown) * [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown) * [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown) * [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown) * [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown) * [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown) * [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown) ## Company * [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown) * [Careers](https://jobs.paloaltonetworks.com/en/) * [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown) * [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown) * [Customers](https://www.paloaltonetworks.com/customers?ts=markdown) * [Investor Relations](https://investors.paloaltonetworks.com/) * [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown) * [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown) ## Popular Links * [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown) * [Communities](https://www.paloaltonetworks.com/communities?ts=markdown) * [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown) * [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown) * [Event Center](https://events.paloaltonetworks.com/) * [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center) * [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown) * [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown) * [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown) * [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown) * [Tech Docs](https://docs.paloaltonetworks.com/) * [Unit 42](https://unit42.paloaltonetworks.com/) * [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd) ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg) * [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown) * [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown) * [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) * [Documents](https://www.paloaltonetworks.com/legal?ts=markdown) Copyright © 2026 Palo Alto Networks. All Rights Reserved * [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks) * [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown) * [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/) * [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks) * [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks) * EN Select your language