detection.wiki

ATT&CK coverage › Technique

Steal or Forge Kerberos Tickets T1558

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC). Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

Events covered

12 catalog events are tagged with this technique by at least one rule.

ProviderEvent IDTitle
Sysmon3Network connection
Sysmon11FileCreate
Security-Auditing4624An account was successfully logged on.
Security-Auditing4627Group membership information.
Security-Auditing4649A replay attack was detected.
Security-Auditing4697A service was installed in the system.
Security-Auditing4704A user right was assigned.
Security-Auditing4738A user account was changed.
Security-Auditing4741A computer account was created.
Security-Auditing4768A Kerberos authentication ticket (TGT) was requested.
Security-Auditing5136A directory service object was modified.
PowerShell4104Creating Scriptblock text (MessageNumber of MessageTotal).

Authoring guide

Patterns shared across the 14 rules above: which fields they filter on, what specific values they look for, and what they exclude. Field names are normalized across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (29 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
EventID5eq 54741, 4768, 4627, 4624
LogonType3eq 33, Network
AuthenticationPackageName2eq 2Kerberos
ServicePrincipalNames2eq 1, in 1*RestrictedKrbHost*, "*RestrictedKrbHost/*", "*HOST/*"
NewUACList1eq 1USER_DONT_REQUIRE_PREAUTH
AllowedToDelegateTo1match 1krbtgt
PrivilegeList1eq 1SeEnableDelegationPrivilege
EventType1eq 1logged-in, service-installed
event.outcome1eq 1success
process_id1eq 10
source.ip1cidr_match 1::1, 127.0.0.0/8
ElevatedToken1eq 1%%1843
AttributeLDAPDisplayName1eq 1servicePrincipalName
ObjectClass1eq 1user
OperationType1eq 1%%14674

Top indicator values (47 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique.

FieldKindValueRules (here)Corpus reach
AuthenticationPackageNameeqKerberos22
EventIDeq474122
LogonTypeeq3212
NewUACListeqUSER_DONT_REQUIRE_PREAUTH1
AllowedToDelegateTomatchkrbtgt1
PrivilegeListeqSeEnableDelegationPrivilege1
EventTypeeqlogged-in17
LogonTypeeqNetwork14
process_ideq012
event.outcomeeqsuccess18
source.ipcidr_match127.0.0.0/81
ElevatedTokeneq%%18431
source.ipcidr_match::11
EventTypeeqservice-installed12
OperationTypeeq%%1467414
ObjectClassequser14
AttributeLDAPDisplayNameeqservicePrincipalName16
TargetFilenameends_withmimilsa.log1
TargetFilenameends_with.kirbi1
ScriptBlockTextmatch-Properties*PrincipalsAllowedToDelegateToAccount1

Common exclusions (7 distinct)

Field/operator/value combinations that rules under this technique routinely exclude (top-level not() clauses). These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths.

FieldKindValueRules excluding
userin"LOCAL SERVICE"1
userin"ANONYMOUS LOGON"1
userin"SYSTEM"1
userin"UMFD-*"1
userin"DWM-*"1
userin"*$"1
userin"NETWORK SERVICE"1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 4 rules

Elastic 5 rules

Splunk 5 rules