EXPLORE
Sign In
← Back to Explore
T1558

Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the ...

WindowsLinuxmacOS
25
Detections
3
Sources
1
Threat Actors

BY SOURCE

14elastic6splunk_escu5sigma

PROCEDURES (18)

Unusual3 detections

Auto-extracted: 3 detections for unusual

Mimikatz2 detections

Auto-extracted: 2 detections for mimikatz

Privilege2 detections

Auto-extracted: 2 detections for privilege

Lateral2 detections

Auto-extracted: 2 detections for lateral

Powershell2 detections

Auto-extracted: 2 detections for powershell

Event Log2 detections

Auto-extracted: 2 detections for event log

Persist1 detections

Auto-extracted: 1 detections for persist

Dump1 detections

Auto-extracted: 1 detections for dump

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Privilege1 detections

Auto-extracted: 1 detections for privilege

Service1 detections

Auto-extracted: 1 detections for service

Persist1 detections

Auto-extracted: 1 detections for persist

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

Credential1 detections

Auto-extracted: 1 detections for credential

Persist1 detections

Auto-extracted: 1 detections for persist

Credential1 detections

Auto-extracted: 1 detections for credential

Kerbero1 detections

Auto-extracted: 1 detections for kerbero

Dump1 detections

Auto-extracted: 1 detections for dump

THREAT ACTORS (1)

Akira

DETECTIONS (25)

Antivirus Password Dumper Detection
sigmacritical
First Time Python Accessed Sensitive Credential Files
elasticmedium
HackTool - Mimikatz Kirbi File Creation
sigmacritical
Kerberos Cached Credentials Dumping
elastichigh
Kerberos Pre-authentication Disabled for User
elasticmedium
Kerberos Traffic from Unusual Process
elasticmedium
Kirbi File Creation
elastichigh
KRBTGT Delegation Backdoor
elastichigh
Potential Kerberos Attack via Bifrost
elastichigh
Potential PowerShell HackTool Script by Function Names
elasticmedium
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
sigmamedium
PowerShell Kerberos Ticket Dump
elastichigh
PowerShell Kerberos Ticket Request
elastichigh
Replay Attack Detected
sigmahigh
Sensitive Privilege SeEnableDelegationPrivilege assigned to a User
elastichigh
Service Creation via Local Kerberos Authentication
elastichigh
Suspicious Kerberos Authentication Ticket Request
elastichigh
Uncommon Outbound Kerberos Connection
sigmamedium
User account exposed to Kerberoasting
elasticmedium
Windows Computer Account Created by Computer Account
splunk_escu
Windows Computer Account Requesting Kerberos Ticket
splunk_escu
Windows Computer Account With SPN
splunk_escu
Windows Domain Admin Impersonation Indicator
splunk_escu
Windows Kerberos Local Successful Logon
splunk_escu
Windows Steal or Forge Kerberos Tickets Klist
splunk_escu