sigmahighHunting

Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock

Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

MITRE ATT&CK

T1558.003

credential-access

Detection Query

selection:
  ScriptBlockText|contains|all:
    - System.IdentityModel.Tokens.KerberosRequestorSecurityToken
    - .GetRequest()
condition: selection

Author

frack113

Created

2021-12-28

Data Sources

windowsps_script

Platforms

windows

References

Tags

attack.credential-accessattack.t1558.003

Raw Content

title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
id: a861d835-af37-4930-bcd6-5b178bfb54df
related:
    - id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
      type: similar
status: test
description: |
    Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
    This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: frack113
date: 2021-12-28
modified: 2025-11-18
tags:
    - attack.credential-access
    - attack.t1558.003
logsource:
    product: windows
    category: ps_script
    definition: 'Requirements: Script Block Logging must be enabled'
detection:
    selection:
        ScriptBlockText|contains|all:
            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
            - '.GetRequest()'
    condition: selection
falsepositives:
    - Unknown
level: high