Steal or Forge Kerberos Tickets T1558

Events covered

35 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 85 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (87 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (743 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (124 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 35 rules

• Administrator login impersonation with forged Golden ticket
• Antivirus Password Dumper Detection
• HackTool - KrbRelay Execution
• HackTool - KrbRelayUp Execution
• HackTool - Mimikatz Kirbi File Creation
• HackTool - RemoteKrbRelay Execution
• HackTool - Rubeus Execution
• HackTool - Rubeus Execution - ScriptBlock
• Kerberoast ticket request detected
• Kerberoasting Activity - Initial Query
• Kerberos AS-REP Roasting ticket request detected
• Kerberos key list attack for credential dumping
• Kerberos Network Traffic RC4 Ticket Encryption
• Kerberos TGS ticket request related to a potential Golden ticket
• Kerberos ticket without a trailing $ (CVE-2021-42278/42287)
• No Suitable Encryption Key Found For Generating Kerberos Ticket
• Potential AS-REP Roasting via Kerberos TGT Requests
• Potential CVE-2021-42278 Exploitation Attempt
• Potential CVE-2021-42287 Exploitation Attempt
• Potential SPN Enumeration Via Setspn.EXE
• Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock
• Register new Logon Process by Rubeus
• Replay Attack Detected
• Rubeus Kerberos constrained delegation abuse (S4U2Proxy)
• Rubeus Kerberos unconstrained delegation abuse
• Shared folder access with forged Golden ticket
• Suspicious Kerberos password account reset to issue potential Golden ticket
• Suspicious Kerberos proxiable/S4U2self ticket (CVE-2021-42278/42287)
• Suspicious Kerberos RC4 Ticket Encryption
• Suspicious Kerberos Ticket Request via CLI
• Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
• Suspicious SPN enumeration previous to Kerberoasting attack (PowerShell)
• Uncommon Outbound Kerberos Connection
• Uncommon Outbound Kerberos Connection - Security
• User Couldn't Call a Privileged Service 'LsaRegisterLogonProcess'

Elastic 15 rules

• First Time Python Accessed Sensitive Credential Files
• Kerberos Cached Credentials Dumping
• Kerberos Pre-authentication Disabled for User
• Kerberos Traffic from Unusual Process
• Kirbi File Creation
• KRBTGT Delegation Backdoor
• Potential Invoke-Mimikatz PowerShell Script
• Potential Kerberos Attack via Bifrost
• Potential PowerShell HackTool Script by Function Names
• PowerShell Kerberos Ticket Dump
• PowerShell Kerberos Ticket Request
• Sensitive Privilege SeEnableDelegationPrivilege assigned to a Principal
• Service Creation via Local Kerberos Authentication
• Suspicious Kerberos Authentication Ticket Request
• User account exposed to Kerberoasting

Splunk 25 rules

• Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
• Disabled Kerberos Pre-Authentication Discovery With PowerView
• Kerberoasting spn request with RC4 encryption
• Kerberos Pre-Authentication Flag Disabled in UserAccountControl
• Kerberos Pre-Authentication Flag Disabled with PowerShell
• Kerberos Service Ticket Request Using RC4 Encryption
• Mimikatz (Sysmon)
• Mimikatz (Windows Event Log)
• Rubeus Command Line Parameters
• Rubeus Commands (PowerShell)
• Rubeus Commands (Sysmon)
• Rubeus Commands (Windows Event Log)
• Rubeus Password Change (Windows Event Log)
• ServicePrincipalNames Discovery with PowerShell
• ServicePrincipalNames Discovery with SetSPN
• Unusual Number of Kerberos Service Tickets Requested
• Windows Computer Account Created by Computer Account
• Windows Computer Account Requesting Kerberos Ticket
• Windows Computer Account With SPN
• Windows Domain Admin Impersonation Indicator
• Windows Kerberos Local Successful Logon
• Windows PowerView Kerberos Service Ticket Request
• Windows PowerView SPN Discovery
• Windows Process With NetExec Command Line Parameters
• Windows Steal or Forge Kerberos Tickets Klist

Kusto 10 rules

• Alsid Golden Ticket
• Detect Potential Kerberoast Activities
• Pathlock TDnR - Kerberos Keytab Changes
• Potential Kerberoasting
• Powershell Empire Cmdlets Executed in Command Line
• Semperis DSP Kerberos krbtgt account with old password
• T1558.003 - Kerberoasting
• Tenable.ad Golden Ticket
• TIE Golden Ticket
• UnPAC the hash