Detecting Golden Ticket Attacks in Kerberos Logs When to Use - When KRBTGT account hash may have been compromised via DCSync or NTDS.dit extraction - When hunting for forged Kerberos tickets used for persistent domain access - After incident response reveals credential theft at the domain level - When investigating impossible logon patterns (users logging in from multiple locations simultaneously) - During post-breach assessment to determine if Golden Tickets are in use Prerequisites - Windows Security Event IDs 4768, 4769, 4771 on domain controllers - Kerberos policy configuration knowledge…