Query Details
RULE 04 AD Golden Ticket Orphaned Logon
Query
// =========================================================
// RULE-04 | AD-GoldenTicket-Orphaned-Logon
// Description : Golden Ticket detection — Event 4624 (network
// logon Type 3) with Event 4672 (Special Privileges:
// SeDebugPrivilege or Domain Admin–level groups)
// but WITHOUT a corresponding Event 4768 (TGT
// request) from the same account within the
// previous 4 hours on any DC.
// A forged (Golden) TGT never passes through
// the KDC AS-REQ/AS-REP exchange, so 4768
// will be absent.
// Severity : High (orphaned logon) → Critical (new host +
// DA privileges, or ticket lifetime > 10h)
// Frequency : Every 1 hour, look-back 1 hour
// MITRE : T1558.001 — Golden Ticket
// Tables : SecurityEvent
// =========================================================
let LookBack = 1h;
let TGTLookBackWindow = 4h; // 4-hour TGT validity window
// Accounts we have recently seen a proper TGT request for
let AccountsWithTGT = SecurityEvent
| where TimeGenerated > ago(LookBack + TGTLookBackWindow)
| where EventID == 4768
| where TargetUserName !endswith "$"
| summarize by TGTAccount = tolower(TargetUserName), TGTDomain = tolower(TargetDomainName);
// Privileged network logons (Type 3 or Type 10) in the last hour
let PrivilegedLogons = SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4624
| where LogonType in (3, 10)
| where AuthenticationPackageName =~ "Kerberos"
| where TargetUserName !endswith "$"
| where TargetUserName !in~ ("ANONYMOUS LOGON", "-")
| join kind=inner (
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4672
| where PrivilegeList has_any (
"SeTcbPrivilege", "SeDebugPrivilege",
"SeTakeOwnershipPrivilege", "SeBackupPrivilege",
"SeRestorePrivilege", "SeLoadDriverPrivilege"
)
| project PrivTime = TimeGenerated,
PrivUser = SubjectUserName,
PrivDomain = SubjectDomainName,
PrivilegeList,
PrivHost = Computer
) on $left.TargetUserName == $right.PrivUser,
$left.TargetDomainName == $right.PrivDomain
| extend
NormAccount = tolower(TargetUserName),
NormDomain = tolower(TargetDomainName);
// Keep only logons that have NO corresponding TGT
PrivilegedLogons
| join kind=leftanti (AccountsWithTGT) on
$left.NormAccount == $right.TGTAccount,
$left.NormDomain == $right.TGTDomain
| extend
TicketLifetime_hours = datetime_diff("hour", TimeGenerated, TimeGenerated),
Severity = case(
PrivilegeList has "SeTcbPrivilege", "Critical",
"High"
),
WhySuspicious = strcat(
"PrivLogon_No_TGT_Request; ",
"Privileges: ", PrivilegeList, "; ",
"LogonType: ", tostring(LogonType)
)
| project
TimeGenerated,
Severity,
WhySuspicious,
TargetUserName,
TargetDomainName,
Computer,
IpAddress,
LogonType,
PrivilegeList
| order by TimeGenerated desc
Explanation
This query is designed to detect potential security threats related to "Golden Ticket" attacks in an Active Directory environment. Here's a simplified explanation of what the query does:
-
Purpose: The query aims to identify suspicious logon activities that might indicate a "Golden Ticket" attack. A "Golden Ticket" is a forged Kerberos Ticket Granting Ticket (TGT) that allows attackers to impersonate any user, including domain administrators, without being detected by the Key Distribution Center (KDC).
-
Detection Logic:
- It looks for privileged network logons (Event ID 4624 with logon types 3 or 10) that occurred in the last hour.
- These logons must have special privileges (Event ID 4672) such as SeDebugPrivilege or other high-level privileges.
- The query checks if these logons do not have a corresponding TGT request (Event ID 4768) from the same account within the previous 4 hours. The absence of a TGT request suggests the use of a forged TGT.
-
Severity Levels:
- The severity is marked as "Critical" if the logon has the SeTcbPrivilege, otherwise, it is marked as "High."
-
Output:
- The query outputs details of the suspicious logons, including the time, severity, reason for suspicion, user and domain names, computer, IP address, logon type, and privilege list.
- The results are ordered by the time of the logon, with the most recent events first.
-
Frequency: This detection runs every hour, looking back over the past hour to identify new suspicious activities.
Overall, this query helps security teams monitor and respond to potential unauthorized access attempts that could compromise the security of the network.
Details
David Alonso
Released: March 24, 2026
Tables
SecurityEvent
Keywords
SecurityEvent
Operators
letago()!endswithsummarize bytolower()in=~!in~join kind=innerhas_anyprojectonextendjoin kind=leftantidatetime_diff()case()hasstrcat()tostring()order by