Golden Ticket attacks allow an adversary who has compromised the KRBTGT key to mint arbitrary Kerberos TGTs, complete with forged PAC data, that are cryptographically valid and therefore trusted by domain controllers and services. Most existing detections hunt the tickets themselves or their logs (unusual lifetimes, legacy ciphers, noisy DC behavior). In this talk, I flip the perspective and hunt the artifacts that forged tickets produce: logon sessions and access tokens on Windows systems.

I will show how to treat the security token as a concrete, observable "shadow" of the PAC and use it to expose Golden Ticket misuse. The core idea is simple: enumerate active sessions, extract their tokens, and compare the user SID and group SIDs in each token against the "ground truth" in Active Directory. In a large, messy enterprise with multiple domains and nested groups, forged PACs almost always make logical mistakes: impossible usernames for a given SID, disabled or non-existent accounts with active sessions, user SIDs appearing in the group list, or tokens whose group topology is far too simple for a real high-privilege account.

I will present FindGT, a tool that automates this token-level anomaly detection using documented Windows APIs and 'real-world lab' results showing how it reliably flags Golden Ticket abuse without relying on brittle log heuristics. Attendees will walk away with both the mental model and practical code to apply this technique in their own environments.