TestimoX

API Reference

Class

GoldenTicketDetector

Edit on GitHub
Namespace ADPlayground
Assembly ADPlayground
Source ADPlayground/Kerberos/GoldenTicketDetector.cs:14

Parses Kerberos security logs looking for indicators of Golden Ticket attacks.

Inheritance

  • Object
  • GoldenTicketDetector

Remarks

See usage examples in the unit tests for typical scenarios.

Constructors

public GoldenTicketDetector(Func<String, IEnumerable<KerberosTicketEvent>> getEvents = null) #
ADPlayground/Kerberos/GoldenTicketDetector.cs:14

Initializes a new instance of the GoldenTicketDetector class.

Parameters

getEvents System.Func{System.String,System.Collections.Generic.IEnumerable{ADPlayground.KerberosTicketEvent}} = null optionalposition: 0
Delegate retrieving Kerberos events.

Methods

public Void Audit(String computerName = null, Nullable<TimeSpan> lifetimeThreshold = null) #
ADPlayground/Kerberos/GoldenTicketDetector.cs:45
Returns: Void

Logs warnings for suspicious Kerberos activity on the specified computer.

Parameters

computerName System.String = null optionalposition: 0
Target computer or null for local.
lifetimeThreshold System.Nullable{System.TimeSpan} = null optionalposition: 1
Threshold for ticket lifetime.
public IEnumerable<KerberosTicketEvent> GetSuspiciousEvents(String computerName = null, Nullable<TimeSpan> lifetimeThreshold = null) #
Returns: IEnumerable<KerberosTicketEvent>

Enumerates suspicious Kerberos events from the specified computer.

Parameters

computerName System.String = null optionalposition: 0
Target computer or null for local.
lifetimeThreshold System.Nullable{System.TimeSpan} = null optionalposition: 1
Threshold for ticket lifetime.

Returns

Collection of suspicious events.