Suspected Golden Ticket usage (time anomaly) false positive

Brass Contributor

We are currently evaluating Windows Hello. Since then we have regularly received the following defender identity warning for our testgroup only: Suspected Golden Ticket usage (time anomaly).


The alert also says that "Due to insufficient source data, the default maximum user ticket lifetime (2 hours) has been applied." Our ticket lifetime is set to 10 hours.


Can someone help me with this.


2 Replies
That means the sensor was not able to read the kerberos policy data for this domain.
Could be some hardening used which blocks the AD account provided from reading the data.

@NinjaKitty this is an interesting one. The MDI sensor gets the Kerberos policy using a setup information file (INF) for the "Default Domain Policy". The sensor reads the content of the file and gets the "maxTicketAge" and "maxRenewAge" properties.


The location of the file is:
\\domain.local\SYSVOL\domain.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\MACHINE\Microsoft\Windows NT\SecEdit\GptTmpl.inf

Since only Windows Hello users have this issue, I can imagine it's due to the partial Kerberos Ticket Granting Ticket (TGT) that is returned by Microsoft Entra ID. The TGT returned by Microsoft Entra ID is 10 hours and maybe the on-prem ticket max age is 8 hours and the sensor sees it as a golden ticket since the lifetime of the partial TGT doesn't match the domain policy. So, maybe the default domain policy is set to 8 hours and you have a separate policy which sets the max age to 8 hours and MDI thinks the lifetime is 8 hours? The "2 hours" message doesn't make sense to me. Only if it means there's a 2 hour difference which matches what I said above.

You can check the "Microsoft.Tri.Sensor.log" and search for "GetKerberosPolicy". It should say the "MaxTicketAge" and "MaxRenewAge" it found for the domain.

Here is an example:

2023-11-22 14:32:05.7856 Debug GroupPolicyHelper GetKerberosPolicy started [domainDnsName=thalpius.local]

2023-11-22 14:32:05.8012 Debug GroupPolicyHelper GetKerberosPolicy finished [domainDnsName=thalpius.local MaxTicketAge=10 MaxRenewAge=7]