Suspicious Kerberos Ticket Request via CLI

Severity: high
Author: Swachchhanda Shrawan Poudel (Nextron Systems)
Source: upstream

Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.

MITRE ATT&CK coverage

Tactic	Techniques
Credential Access	`T1558.003` Steal or Forge Kerberos Tickets: Kerberoasting

Event coverage

Provider	Event ID	Title
Sysmon	1	Process creation

Stages and Predicates

Stage 1: `all of selection_img`

or:
Image|endswith: '\powershell.exe'
Image|endswith: '\pwsh.exe'
OriginalFileName: powershell.exe
OriginalFileName: pwsh.dll

Stage 2: `all of selection_cli`

CommandLine|contains: '.GetRequest()'
CommandLine|contains: 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`CommandLine`	match	`.GetRequest()` `System.IdentityModel.Tokens.KerberosRequestorSecurityToken`
`Image`	ends_with	`\powershell.exe` corpus 143 (sigma 143) `\pwsh.exe` corpus 140 (sigma 140)
`OriginalFileName`	eq	`powershell.exe` corpus 8 (sigma 8) `pwsh.dll` corpus 72 (sigma 68, splunk 4)