Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0144: Detect Forged Kerberos Golden Tickets (T1558.001)

DET0144 is a detection strategy for identifying forged Kerberos Golden Tickets associated with ATT&CK technique T1558.001. The business significance is ide...

EnterpriseDET0144Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0144 is a detection strategy for identifying forged Kerberos Golden Tickets associated with ATT&CK technique T1558.001. The business significance is identity trust: if an adversary has the KRBTGT password hash, they may be able to create Kerberos ticket-granting tickets and obtain access to resources as arbitrary Active Directory accounts. For leaders, this is less about a single alert and more about whether the organization can prove it would notice abuse of core Windows authentication trust.

Executive priority

Prioritize this as an identity resilience and incident-response readiness issue for Windows Active Directory environments. Executives should ask whether the SOC can validate suspicious Kerberos ticket activity, whether incident responders have procedures for suspected KRBTGT compromise, and whether audit evidence exists showing that privileged identity monitoring and authentication logging are actually retained and reviewed. Because the supplied ATT&CK detection strategy has no official detection text, local validation is required before claiming coverage.

Technical view

The object detects T1558.001 Golden Ticket, a credential-access technique involving forged Kerberos TGTs created with the KRBTGT account password hash. SOC and detection teams should validate visibility across Kerberos authentication flows in Windows Active Directory, especially activity involving TGT and TGS usage and authentication material that appears inconsistent with expected account, domain, or resource access patterns. IR teams should treat suspected Golden Ticket activity as a potential compromise of Kerberos trust material and confirm whether response plans include KRBTGT-focused containment and recovery decisions.

Likely telemetry

  • Kerberos ticket-granting ticket and ticket-granting service request records from Windows Active Directory domain infrastructure
  • Domain controller authentication and authorization logs relevant to Kerberos activity
  • Account identity context such as user, service, and privileged account information
  • Active Directory administrative change evidence related to sensitive authentication infrastructure, including KRBTGT-related activity where collected
  • Resource access logs that can correlate Kerberos-authenticated access to specific systems or services

Detection direction

  • Do not assume DET0144 provides out-of-the-box logic; the supplied ATT&CK object contains no official detection details.
  • Validate that Kerberos authentication telemetry is collected from the systems that make authorization decisions, not only from endpoints that consume access.
  • Correlate ticket activity with account context and resource access to reduce noise from normal Kerberos operations.
  • Tune with awareness that legitimate administrative activity and normal service access may generate high-volume Kerberos events.
  • Use the relationship to T1558.001 to focus detection engineering on forged TGT/TGS behavior and potential KRBTGT trust compromise, while avoiding unsupported assumptions about specific tools or actors.

Mitigation priorities

  • Confirm that Windows Active Directory Kerberos logging and retention are sufficient for investigation and compliance evidence.
  • Review privileged identity and KRBTGT-related operational procedures, including who can access or change sensitive authentication material.
  • Ensure incident response playbooks define escalation paths for suspected Golden Ticket activity because it may affect trust in Active Directory authentication.
  • Prioritize identity hardening and administrative access controls around domain-level credential material before relying solely on alerting.
  • Test detection assumptions in a controlled defensive validation exercise before reporting DET0144 coverage to leadership or auditors.
Analyst notes and limits

This take is based on the supplied ATT&CK detection strategy DET0144 and its relationship to T1558.001 Golden Ticket. The related technique specifies Windows, Active Directory, Kerberos TGT/TGS behavior, and KRBTGT password hash relevance; the detection strategy itself does not specify platforms, tactics, description, or detection logic.

ATT&CK supplied no official description or detection content for DET0144, so this summary cannot prescribe specific analytics, event IDs, thresholds, tooling, or guaranteed coverage. Local architecture, logging configuration, retention, and Active Directory operational practices determine whether this detection strategy is actionable.

Official MITRE ATT&CK definition

Detect Forged Kerberos Golden Tickets (T1558.001)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1558.001 Golden Ticket Sub-technique This object detects Golden Ticket.
Relationship explorer

All related ATT&CK context

detects · Technique T1558.001: Golden Ticket Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
87d1b8adaa0f5e6e...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 87d1b8adaa0f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0144
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use