detecting-pass-the-ticket-attacks

by mukul975

detecting-pass-the-ticket-attacks helps detect Kerberos Pass-the-Ticket activity by correlating Windows Security Event IDs 4768, 4769, and 4771. Use it for threat hunting in Splunk or Elastic to spot ticket reuse, RC4 downgrades, and unusual TGS volume with practical queries and field guidance.

Stars0

Favorites0

Comments0

AddedMay 11, 2026

CategoryThreat Hunting

Install Command

npx skills add mukul975/Anthropic-Cybersecurity-Skills --skill detecting-pass-the-ticket-attacks

Curation Score

This skill scores 78/100, which means it is a solid listing candidate for directory users who want a focused Pass-the-Ticket detection workflow rather than a generic cybersecurity prompt. The repository gives enough concrete detection content—event IDs, example queries, and an execution script—to support install decisions, though users should still expect to adapt it to their own SIEM and log schema.

78/100

Strengths

Specific trigger and scope: the SKILL.md clearly targets Kerberos Pass-the-Ticket detection using Windows Event IDs 4768, 4769, and 4771 in Splunk and Elastic SIEM.
Operational leverage: references include concrete SPL and KQL examples for RC4 downgrade, cross-host ticket reuse, and TGS volume anomalies.
Agent execution support: scripts/agent.py parses exported Windows Security event XML and focuses only on the relevant Kerberos events.

Cautions

Install readiness is somewhat limited by missing install command and the truncated documentation, so users may need to infer the full workflow from the repository.
The detection logic appears environment-dependent and assumes exported Windows event XML plus SIEM-specific field names, which may require adaptation before use.

Kerberos Active Directory Splunk Elastic Ntlm Pass The Hash Windows Security

Overview

Overview of detecting-pass-the-ticket-attacks skill

What this detecting-pass-the-ticket-attacks skill does

The detecting-pass-the-ticket-attacks skill helps you detect Kerberos Pass-the-Ticket (PtT) activity by correlating Windows Security events 4768, 4769, and 4771. It is most useful when you need practical threat-hunting logic, not a generic explanation of Kerberos.

Who should install it

This skill fits SOC analysts, detection engineers, and incident responders working in Windows domains with Splunk or Elastic. It is especially relevant for detecting-pass-the-ticket-attacks for Threat Hunting when you want repeatable queries for ticket reuse, RC4 downgrades, and unusual service-ticket behavior.

Why it is different

The skill is anchored to concrete event fields and detection patterns rather than abstract ATT&CK theory. The real value is in turning noisy domain-controller logs into actionable signals you can operationalize in SIEM workflows.

How to Use detecting-pass-the-ticket-attacks skill

Install and inspect the right files first

Use the detecting-pass-the-ticket-attacks install workflow for your platform, then read SKILL.md first, followed by references/api-reference.md and scripts/agent.py. Those two support files show the event fields, query shapes, and parsing logic that actually drive the skill.

Build a complete input prompt

For best detecting-pass-the-ticket-attacks usage, give the skill four things: your SIEM, your log source, your goal, and your constraints. A strong prompt looks like: “Use detecting-pass-the-ticket-attacks to hunt for PtT in Splunk Security logs from domain controllers, focusing on 4769 RC4 downgrades and cross-host ticket reuse, and return a triage-ready query with false-positive notes.”

Start from the detection pattern, not the dashboard

This skill works best when you begin with one of the supported hypotheses: RC4 encryption downgrade, repeated TGS requests from multiple IPs, or abnormal 4769 volume per user. Then adapt the output to your index names, field mappings, and alert thresholds instead of copying the repository examples verbatim.

Use the repository as a workflow guide

If you want the shortest path through the repo, follow this order: SKILL.md for scope, references/api-reference.md for field names and sample Splunk/KQL patterns, and scripts/agent.py for how the event logic is normalized. That sequence gives you the fastest route from rough idea to usable hunting logic.

detecting-pass-the-ticket-attacks skill FAQ

Is this only for Splunk or Elastic?

No. Splunk and Elastic are the primary examples, but the underlying detection logic is Windows Security event driven. If your SIEM can query 4768, 4769, and 4771 fields, you can adapt the detecting-pass-the-ticket-attacks skill to it.

Do I need deep Kerberos knowledge first?

No, but you do need basic familiarity with domain controller authentication logs. The skill is beginner-friendly for guided hunting, yet the results are much better if you already know where to find TargetUserName, IpAddress, ServiceName, and TicketEncryptionType.

When should I not use this skill?

Do not use it if you only need broad credential-theft coverage or if you lack domain controller auditing. detecting-pass-the-ticket-attacks is narrow by design: it is for PtT-oriented investigation and detection engineering, not general Windows security monitoring.

How is this different from a normal prompt?

A normal prompt often gives you a one-off query. The detecting-pass-the-ticket-attacks skill gives you a reusable structure: what evidence matters, which event IDs to correlate, and how to turn a hunt idea into a detection workflow.

How to Improve detecting-pass-the-ticket-attacks skill

Provide stronger environment details

The biggest quality gain comes from specifying your environment up front: Windows version, DC log source, SIEM, and known field names. If your data uses different aliases, say so before asking for output so the skill can map IpAddress or TicketEncryptionType correctly.

Ask for one hypothesis at a time

Better detecting-pass-the-ticket-attacks usage comes from focused requests. Separate “RC4 downgrade detection,” “cross-host reuse,” and “TGS volume anomaly” into individual runs so the output can include tighter thresholds, clearer triage guidance, and fewer mixed assumptions.

Give examples of expected and bad behavior

If you can, include one known-good event pattern and one suspicious pattern from your logs. That helps the skill tune detection logic and reduces false positives, especially when legitimate service accounts or legacy systems resemble PtT indicators.

Iterate on thresholds and triage output

After the first result, refine for your noise level: ask for lower or higher thresholds, a version with analyst-friendly explanations, or a version that distinguishes detection from investigation. The best detecting-pass-the-ticket-attacks guide is one that ends with queries you can actually deploy and tune.

Ratings & Reviews

No ratings yet

Share your review

0/10000

Latest reviews

Saving...

more skill

detecting-s3-data-exfiltration-attempts

by mukul975

detecting-s3-data-exfiltration-attempts helps investigate possible AWS S3 data theft by correlating CloudTrail S3 data events, GuardDuty findings, Amazon Macie alerts, and S3 access patterns. Use this detecting-s3-data-exfiltration-attempts skill for Security Audit, incident response, and suspicious bulk-download analysis.

Security Audit

Favorites 0GitHub 6.2k

analyzing-usb-device-connection-history

by mukul975

analyzing-usb-device-connection-history helps investigate USB device connection history on Windows using registry hives, event logs, and setupapi.dev.log for Digital Forensics, insider threat work, and incident response. It supports timeline reconstruction, device correlation, and removable-media evidence analysis.

Digital Forensics

Favorites 0GitHub 6.2k

analyzing-bootkit-and-rootkit-samples

by mukul975

analyzing-bootkit-and-rootkit-samples is a malware analysis skill for MBR, VBR, UEFI, and rootkit investigations. Use it to inspect boot sectors, firmware modules, and anti-rootkit indicators when compromise persists below the OS layer. It is suited for analysts who need a practical guide, clear workflow, and evidence-based triage for Malware Analysis.

Malware Analysis

Favorites 0GitHub 6.2k

detecting-ransomware-encryption-behavior

by mukul975

detecting-ransomware-encryption-behavior helps defenders spot ransomware-style encryption using entropy analysis, file I/O monitoring, and behavioral heuristics. It is suited for incident response, SOC tuning, and red-team validation when you need to detect mass file changes, rename bursts, and suspicious process activity quickly.

Incident Response

Favorites 0GitHub 0

detecting-privilege-escalation-attempts

by mukul975

detecting-privilege-escalation-attempts helps hunt privilege escalation on Windows and Linux, including token manipulation, UAC bypass, unquoted service paths, kernel exploits, and sudo/doas abuse. Built for threat hunting teams that need a practical workflow, reference queries, and helper scripts.

Threat Hunting

Favorites 0GitHub 0

detecting-evasion-techniques-in-endpoint-logs

by mukul975

The detecting-evasion-techniques-in-endpoint-logs skill helps hunt defense evasion in Windows endpoint logs, including log clearing, timestomping, process injection, and security tool disabling. Use it for threat hunting, detection engineering, and incident triage with Sysmon, Windows Security, or EDR telemetry.

Threat Hunting

Favorites 0GitHub 0

analyzing-network-traffic-for-incidents

by mukul975

analyzing-network-traffic-for-incidents helps incident responders analyze PCAPs, flow logs, and packet captures to confirm C2, lateral movement, exfiltration, and exploitation attempts. Built for analyzing-network-traffic-for-incidents for Incident Response with Wireshark, Zeek, and NetFlow-style investigation.

Incident Response

Favorites 0GitHub 0

detecting-process-injection-techniques

by mukul975

detecting-process-injection-techniques helps analyze suspicious in-memory activity, validate EDR alerts, and identify process hollowing, APC injection, thread hijacking, reflective loading, and classic DLL injection for Security Audit and malware triage.

Security Audit

Favorites 0GitHub 0

detecting-process-hollowing-technique

by mukul975

detecting-process-hollowing-technique helps hunt process hollowing (T1055.012) in Windows telemetry by correlating suspended launches, memory tampering, parent-child anomalies, and API evidence. Built for threat hunters, detection engineers, and responders who need a practical detecting-process-hollowing-technique for Threat Hunting workflow.

Threat Hunting

Favorites 0GitHub 0

detecting-rdp-brute-force-attacks

by mukul975

detecting-rdp-brute-force-attacks helps analyze Windows Security Event Logs for RDP brute force patterns, including repeated 4625 failures, 4624 success after failures, NLA-related logons, and source-IP concentration. Use it for Security Audit, threat hunting, and repeatable EVTX-based investigations.

Security Audit

Favorites 0GitHub 6.2k

analyzing-linux-kernel-rootkits

by mukul975

analyzing-linux-kernel-rootkits helps DFIR and threat-hunting workflows detect Linux kernel rootkits with Volatility3 cross-view checks, rkhunter scans, and /proc vs /sys analysis for hidden modules, hooked syscalls, and tampered kernel structures. It is a practical analyzing-linux-kernel-rootkits guide for forensic triage.

Digital Forensics

Favorites 0GitHub 0

detecting-mimikatz-execution-patterns

by mukul975

detecting-mimikatz-execution-patterns helps analysts detect Mimikatz execution using command-line patterns, LSASS access signals, binary indicators, and memory artifacts. Use this detecting-mimikatz-execution-patterns skill install for Security Audit, hunting, and incident response with templates, references, and workflow guidance.

Security Audit

Favorites 0GitHub 0

exploiting-kerberoasting-with-impacket

by mukul975

exploiting-kerberoasting-with-impacket helps authorized testers plan Kerberoasting with Impacket GetUserSPNs.py, from SPN enumeration to TGS ticket extraction, offline cracking, and detection-aware reporting. Use this exploiting-kerberoasting-with-impacket guide for penetration testing workflows with clear install and usage context.

Penetration Testing

Favorites 0GitHub 6.2k

detecting-shadow-it-cloud-usage

by mukul975

detecting-shadow-it-cloud-usage helps identify unauthorized SaaS and cloud usage from proxy logs, DNS queries, and netflow. It classifies domains, compares them with approved lists, and supports security audit workflows with structured evidence from the detecting-shadow-it-cloud-usage skill guide.

Security Audit

Favorites 0GitHub 6.2k

detecting-service-account-abuse

by mukul975

detecting-service-account-abuse is a threat-hunting skill for finding service account misuse across Windows, AD, SIEM, and EDR telemetry. It focuses on suspicious interactive logons, privilege escalation, lateral movement, and access anomalies, with a hunt template, event IDs, and workflow references for repeatable investigation.

Threat Hunting

Favorites 0GitHub 6.2k

analyzing-browser-forensics-with-hindsight

by mukul975

analyzing-browser-forensics-with-hindsight helps Digital Forensics teams analyze Chromium browser artifacts with Hindsight, including history, downloads, cookies, autofill, bookmarks, saved credentials metadata, cache, and extensions. Use it to reconstruct web activity, review timelines, and investigate Chrome, Edge, Brave, and Opera profiles.

Digital Forensics

Favorites 0GitHub 6.2k