In Advanced Persistent Threat (APT) attacks, attackers tend to target the Active Directory to expand infections. Attackers try to take over Domain Administrator privilege and create a backdoor called "Golden Ticket" which can disguise themselves as arbitrary legitimate accounts, in order to obtain long-term administrator privilege. However, detecting attacks using this method is quite difficult since attackers often leverage legitimate accounts and commands, which are not identified as anomaly.We will introduce a real-time detection method for attack activities leveraging Domain Administrator privilege including Golden Tickets by using Domain Controller Event logs. If we can detect attack activities with Domain Administrator privilege immediately, the damage can be minimized.Our proposed method consists of the following steps to reduce false detection rate and help immediate response.Step1 (Signature based detection): Firstly, analyze Event logs focusing on the characteristics of the attack activities.Step2 (Machine Learning): Analyze with anomaly detection using unsupervised machine learning and detect suspicious commands as outlier which attackers tend to use.Step3 (Real-time alert): If attack activities are detected, raise real-time alert using Elastic Stack.We have developed a tool for detection and published on GitHub. We also show the specific algorithm of the proposed method and how to implement the method. The method can be easily implemented, and help immediate response to attacks.