Determine whether a golden ticket attack occurred by correlating Kerberos ticket anomalies, domain policy, and auth event patterns, then emit a strict 3-line verdict file. Use when investigating AD compromise artifacts in terminal tasks with format-validated output.
Inspect all evidence sources first.
Read:
domain_config.txt (ticket policy, KRBTGT info, SIDs)kerberos_tickets.json (ticket fields, anomalies, PAC fields)auth_events.csv (EventID patterns and timing)Establish expected baselines from domain policy.
Extract max ticket lifetime, max renewal window, expected encryption types, and KRBTGT account details.
Identify forged-TGT indicators in ticket data.
Flag tickets showing combinations like:
initial flag0.0.0.0 or hostless behaviorCorrelate with auth events to confirm issuance mismatch.
Look for service-ticket activity (e.g., repeated 4769) without corresponding TGT issuance events (e.g., missing 4768) for the same identity/time window.
Decide detection status from combined evidence, not one signal.
Mark detected when multiple independent indicators agree (ticket structure + event mismatch + privileged PAC/hash evidence).
Write verdict in exact required format.
Use deterministic write (e.g., printf) to avoid formatting drift:
DETECTED: yes|noKRBTGT_HASH: <32-lowercase-hex|unknown>FORGED_USER: <lowercase username|none>Perform immediate format sanity checks.
Verify exact line count and rendered content before completion.
Administrator; output must be lowercase when required (administrator).wc -l.Use a two-layer check:
Analytic verification (content correctness):
Output-contract verification (test-aligned):
DETECTED:, KRBTGT_HASH:, FORGED_USER:.(These checks match the observed grader behavior across all three successful runs: format, consistency, lowercase username, and expected detected/user values.)
printf vs heredoc) for exact-line outputs