EXPLORE
Sign In
← Back to Explore
T1558

Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the ...

LinuxmacOSWindows
28
Detections
4
Sources
1
Threat Actors

BY SOURCE

15elastic6splunk_escu5sigma2kql

PROCEDURES (20)

Kerbero2 detections

Auto-extracted: 2 detections for kerbero

Unusual2 detections

Auto-extracted: 2 detections for unusual

Privilege2 detections

Auto-extracted: 2 detections for privilege

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Script Block2 detections

Auto-extracted: 2 detections for script block

Impersonat2 detections

Auto-extracted: 2 detections for impersonat

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Privilege1 detections

Auto-extracted: 1 detections for privilege

Dump1 detections

Auto-extracted: 1 detections for dump

Service1 detections

Auto-extracted: 1 detections for service

Credential1 detections

Auto-extracted: 1 detections for credential

Mimikatz1 detections

Auto-extracted: 1 detections for mimikatz

Lateral1 detections

Auto-extracted: 1 detections for lateral

Lateral1 detections

Auto-extracted: 1 detections for lateral

Persist1 detections

Auto-extracted: 1 detections for persist

Dump1 detections

Auto-extracted: 1 detections for dump

Persist1 detections

Auto-extracted: 1 detections for persist

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Command Line Monitoring1 detections

Auto-extracted: 1 detections for command line monitoring

Persist1 detections

Auto-extracted: 1 detections for persist

THREAT ACTORS (1)

Akira

DETECTIONS (28)

Antivirus Password Dumper Detection
sigmacritical
First Time Python Accessed Sensitive Credential Files
elasticmedium
HackTool - Mimikatz Kirbi File Creation
sigmacritical
Kerberos attacks
kql
Kerberos Cached Credentials Dumping
elastichigh
Kerberos Pre-authentication Disabled for User
elasticmedium
Kerberos Traffic from Unusual Process
elasticmedium
Kirbi File Creation
elastichigh
KRBTGT Delegation Backdoor
elastichigh
Potential Invoke-Mimikatz PowerShell Script
elasticcritical
Potential Kerberos Attack via Bifrost
elastichigh
Potential Kerberos Encryption Downgrade
kql
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
sigmamedium
PowerShell Kerberos Ticket Dump
elastichigh
PowerShell Kerberos Ticket Request
elastichigh
Replay Attack Detected
sigmahigh
Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal
elastichigh
Service Creation via Local Kerberos Authentication
elastichigh
Suspicious Kerberos Authentication Ticket Request
elastichigh
Uncommon Outbound Kerberos Connection
sigmamedium
User account exposed to Kerberoasting
elasticmedium
Windows Computer Account Created by Computer Account
splunk_escu
Windows Computer Account Requesting Kerberos Ticket
splunk_escu
Windows Computer Account With SPN
splunk_escu
Windows Domain Admin Impersonation Indicator
splunk_escu
Windows Kerberos Local Successful Logon
splunk_escu
Windows Steal or Forge Kerberos Tickets Klist
splunk_escu