Detection of Kerberos Golden Ticket Attacks via Velociraptor

This report explains the Golden Ticket attack against Active Directory Kerberos authentication: how attackers obtain the krbtgt NTLM hash (e.g., via DCSync), craft forged TGTs using mimikatz with long lifetimes and arbitrary group memberships, and use those tickets to impersonate accounts and access resources across a domain; it also provides detection opportunities such as checking unusually long ticket lifetimes and empty "Kdc Called" fields and correlating TGS events with successful logons.