← Back to Explore
sigmahighHunting
Suspicious Kerberos Ticket Request via CLI
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.
Detection Query
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- powershell.exe
- pwsh.dll
selection_cli:
CommandLine|contains|all:
- System.IdentityModel.Tokens.KerberosRequestorSecurityToken
- .GetRequest()
condition: all of selection_*
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Created
2025-11-18
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
Tags
attack.credential-accessattack.t1558.003
Raw Content
title: Suspicious Kerberos Ticket Request via CLI
id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
related:
- id: a861d835-af37-4930-bcd6-5b178bfb54df
type: similar
status: experimental
description: |
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
techniques like silver ticket attacks.
references:
- https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
- https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
author: Swachchhanda Shrawan Poudel (Nextron Systems)
date: 2025-11-18
tags:
- attack.credential-access
- attack.t1558.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith:
- '\powershell.exe'
- '\pwsh.exe'
- OriginalFileName:
- 'powershell.exe'
- 'pwsh.dll'
selection_cli:
CommandLine|contains|all:
- 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
- '.GetRequest()'
condition: all of selection_*
falsepositives:
- Legitimate command line usage by administrators or security tools.
level: high