In unique situations it is possible for a malicious person-who has already compromised a computer using social methods-to craft a Kerberos ticket granting ticket. This ticket granting ticket can then be used to request service tickets in the domain environment and those service tickets could then be passed to services for authorization.
Though very rare, these attacks are possible and are difficult to detect.
To try and help give a basic insight into whether an odd looking ticket granting ticket is on a computer I’ve written a PowerShell script. You can download the PowerShell script from the link below
Kerberos Golden Ticket Check
https://gallery.technet.microsoft.com/scriptcenter/Kerberos-Golden-Ticket-b4814285
This PowerShell script is designed to query through the Kerberos ticket caches on a computer and look for Ticket Granting Tickets which have a duration (lifetime) that is different than the 10 hour default or the script-running user's specified duration (since the value can be changed per domain).
This script is not a security method in itself. Neither is it an antimalware tool. It is simply a script that may be helpful in quickly examining a specific computer's Kerberos ticket caches for anomalous tickets.
Essentially, the script compares the duration (aka lifetime) of the TGT against the expected TGT expiry the domain KDCs are set to issue. That duration is only changeable at domain controllers via policy and it will always be a per domain setting. So a TGT will always have the domain duration.
The script will take one parameter which is the Ticket Granting Ticket lifetime. If not specified the default will be 10 (same as for the domain default in Active Directory). This setting is discussed on TechNet here. Here’s the detailed decryption of the setting
Maximum lifetime for user ticket
Description
This security setting determines the maximum amount of time (in hours) that a user's ticket-granting ticket (TGT) may be used. When a user's TGT expires, a new one must be requested or the existing one must be "renewed."
Default: 10 hours.
The script will alert if any anomalous TGT's are found and then display pertinent details about the TGT in the PS prompt.
The script will give a message if none are found at all-basically an "all clear".
Here's a sample result where I passed in a ticket granting ticket expiry of less than 10 hours.
We have a potential Golden Ticket TGT here folks.
TGT Session (LogonID) : 0x11666857
Service Name : krbtgt
ClientName (user) : Joeuser
DomainName : CHILD.CONTOSO.COM
SessionKey : KeyType 0x12 - AES-256-CTS-HMAC-SHA1-96
StartTime : 1/29/2015 16:25:15 (local)
EndTime : 1/30/2015 2:25:15 (local)
RenewUntil : 2/5/2015 16:25:15 (local)
Though not a complete or comprehensive solution by any means, I hope this script helps folks out when looking for suspicious TGTs.