locked
Golden ticket - False positive? RRS feed

  • Question

  • Hello,

    We received a Golden Ticket alert based on ticket lifetime.

    This happened to 3 computers' accounts and one user account. The owners were not  working during this period. 

    When reviewing the logs on the domain controllers we do see that renewal request from all these accounts during this time, which made us suspect that this is a false positive. 

    More information:

    The gateways are lightweight gateways on virtual machines, and they are not with optimal performance. 

    Thanks in advance. 

    Friday, January 19, 2018 6:53 PM

All replies

  • Were the 3 computers in sleep mode for a long time?

    What's the domain lifetime policy?

    What's the renewal policy? is it longer then the initial lifetime policy?

    how many hours did the SA reported for the ticket being used?

    Was there any recent change to lifetime policy in the domain?

    Saturday, January 20, 2018 12:43 AM
  • 1) The 3 computers were not asleep. 

    2)10 hours. 

    3) 2 hours. 

    4) 15 hours, but I'm not sure what an save is. 

    5) no changes. 

    Saturday, January 20, 2018 4:57 PM
  • Thanks, We had a known issue that we fixed for 1.9, but I think you are not falling into the same issue...

    if you can export the alert to Excel, and share it with us at atashare at microsoft com, I can have it inspected to better understand what happened.

    When sending the email, please mentioned a reference to this post.

    Eli.

    Saturday, January 20, 2018 8:10 PM
  • Thanks, I'll be able to send it in a few days. 

     When will version 1.9 be released?

    Saturday, January 20, 2018 8:32 PM
  • No official ETA on 1.9 just yet, sorry :-)

    but I can say I think its going to be published soon.

    Saturday, January 20, 2018 8:35 PM