drop event log + sysmon + zeek kerberos · detect all four ticket abuse classes
golden (krbtgt TGT / 10h lifetime) · silver (forged service ticket) · diamond (KeyCredentialLink) · sapphire (delegation/S4U2Self)
heuristic screener · multi-source correlation only · extends kerberos-traffic-analyzer patterns · not definitive proof