T1558

Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket (T1550.003). In Active Directory environments, Kerberos is the primary authentication protocol. Adversaries exploit it through multiple sub-techniques: Kerberoasting (T1558.003) requests service tickets for accounts with SPNs using RC4 encryption for offline hash cracking; AS-REP Roasting (T1558.004) targets accounts with pre-authentication disabled to obtain crackable AS-REP responses; Golden Ticket attacks (T1558.001) use a stolen KRBTGT hash to forge TGTs granting unrestricted domain access; Silver Ticket attacks (T1558.002) forge service tickets using a service account hash for targeted service access; and Ccache file theft (T1558.005) targets Linux/macOS Kerberos credential cache files. Common offensive tools include Rubeus, Mimikatz (kerberos modules), Kekeo, and the Impacket suite (GetUserSPNs.py, GetNPUsers.py, ticketer.py). Detection leverages Windows Security Kerberos event IDs 4768, 4769, and 4771 for protocol-level anomalies such as RC4 encryption downgrade requests in AES-enforced environments, and process telemetry for offensive tool signatures.

Microsoft Sentinel / Defender

kusto

// T1558: Steal or Forge Kerberos Tickets — Multi-pattern detection
// Covers Kerberoasting (4769+RC4), AS-REP Roasting (4768+PreAuth=0),
// Golden Ticket indicators (RC4 TGT), and attack tool process signatures
let LookbackWindow = 24h;

// Pattern 1: Kerberoasting — RC4 TGS requests via EventID 4769
// In AES-enforced environments, any 0x17 service ticket request is high-fidelity
let Kerberoasting = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4769
| where TicketEncryptionType in ("0x17", "0x18")  // RC4-HMAC and RC4-HMAC-EXP
| where ServiceName !endswith "$"                   // Exclude machine account SPNs
| where ServiceName !in~ ("krbtgt", "kadmin/changepw")
| where IpAddress !in ("::1", "127.0.0.1", "-")
| where Status == "0x0"                              // Successful ticket grants only
| summarize
    RequestCount = count(),
    UniqueServices = dcount(ServiceName),
    Services = make_set(ServiceName, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by AccountName, IpAddress, Computer
| extend AttackPattern = "Kerberoasting"
| extend RiskLevel = iff(UniqueServices >= 3 or RequestCount >= 5, "Critical", "High");

// Pattern 2: AS-REP Roasting — TGT for account with pre-auth disabled (EventID 4768)
let ASREPRoasting = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4768
| where PreAuthType == "0"                           // Pre-authentication not required
| where TicketEncryptionType in ("0x17", "0x18")    // Attacker requests RC4 for offline cracking
| where Status == "0x0"
| where IpAddress !in ("::1", "127.0.0.1", "-")
| project TimeGenerated, AccountName, IpAddress, Computer, TicketEncryptionType, PreAuthType
| extend AttackPattern = "AS-REP Roasting"
| extend RiskLevel = "High";

// Pattern 3: Golden Ticket indicator — RC4 TGT request (EventID 4768)
// Legitimate AES-only domains should not produce 0x17 TGT events
let GoldenTicketIndicators = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4768
| where TicketEncryptionType in ("0x17", "0x18")    // RC4 TGT is abnormal in AES-enforced domains
| where IpAddress !in ("::1", "127.0.0.1", "-")
| project TimeGenerated, AccountName, IpAddress, Computer, TicketEncryptionType, Status
| extend AttackPattern = "Potential Golden Ticket (RC4 TGT)"
| extend RiskLevel = "Critical";

// Pattern 4: Kerberos attack tool detection via process command line telemetry
let KerberosTools = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where ProcessCommandLine has_any (
    "Rubeus", "kerberoast", "asreproast", "tgtdeleg", "asktgt", "asktgs",
    "harvest", "monitor", "s4u",
    "sekurlsa::tickets", "kerberos::golden", "kerberos::silver",
    "kerberos::ptt", "kerberos::list", "kerberos::purge", "kerberos::tgt",
    "GetUserSPNs", "GetNPUsers", "ticketer.py"
  )
  or FileName in~ ("Rubeus.exe", "Kekeo.exe")
  or ProcessCommandLine has ".kirbi"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend AttackPattern = "Kerberos Attack Tool"
| extend RiskLevel = "Critical";

// Unified output across all patterns
union
    (Kerberoasting
     | project TimeGenerated = LastSeen, Computer, AccountName, IpAddress,
         AttackPattern, RiskLevel,
         Details = strcat("RequestCount=", RequestCount, " UniqueServices=", UniqueServices, " SPNs=", tostring(Services))),
    (ASREPRoasting
     | project TimeGenerated, Computer, AccountName, IpAddress,
         AttackPattern, RiskLevel,
         Details = strcat("EncType=", TicketEncryptionType, " PreAuth=", PreAuthType)),
    (GoldenTicketIndicators
     | project TimeGenerated, Computer, AccountName, IpAddress,
         AttackPattern, RiskLevel,
         Details = strcat("EncType=", TicketEncryptionType, " Status=", Status)),
    (KerberosTools
     | project TimeGenerated = Timestamp, Computer = DeviceName, AccountName,
         IpAddress = "N/A (host-based)", AttackPattern, RiskLevel,
         Details = ProcessCommandLine)
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Authentication: Authentication Active Directory: Active Directory Credential Request Process: Process Creation Microsoft Sentinel SecurityEvent Microsoft Defender for Endpoint

Required Tables

SecurityEvent DeviceProcessEvents

False Positives

Legacy applications that still negotiate RC4 for Kerberos due to compatibility requirements — older Java-based apps (JDK < 17 defaults to AES but may fall back), older Linux Kerberos clients with krb5 library versions that prefer RC4, and applications where 'arcfour-hmac' is listed in krb5.conf etypes
IT inventory and vulnerability scanning tools such as Tenable Nessus, Qualys, and CyberArk that enumerate service principal names as part of Active Directory discovery modules
Backup and monitoring software (Veeam Backup, CommVault, SolarWinds) using service accounts with registered SPNs running on older server OS versions where RC4 is the negotiated cipher
Domain environments in mixed-mode with Windows Server 2008 R2 domain controllers, which still advertise RC4 support by default and can cause clients to negotiate 0x17 during normal Kerberos exchanges

Splunk

spl

(index=wineventlog (sourcetype="WinEventLog:Security" OR sourcetype="XmlWinEventLog:Security") (EventCode=4768 OR EventCode=4769 OR EventCode=4771))
OR
(index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (CommandLine="*Rubeus*" OR CommandLine="*kerberoast*" OR CommandLine="*GetUserSPNs*"
   OR CommandLine="*GetNPUsers*" OR CommandLine="*sekurlsa::tickets*"
   OR CommandLine="*kerberos::golden*" OR CommandLine="*kerberos::silver*"
   OR CommandLine="*kerberos::ptt*" OR CommandLine="*.kirbi*"
   OR CommandLine="*ticketer.py*" OR CommandLine="*tgtdeleg*" OR CommandLine="*asreproast*"
   OR Image="*\\Rubeus.exe" OR Image="*\\Kekeo.exe"))
| eval TicketEncType=coalesce('Ticket_Encryption_Type', TicketEncryptionType)
| eval SvcName=coalesce('Service_Name', ServiceName)
| eval PreAuth=coalesce('Pre_Authentication_Type', PreAuthType)
| eval ClientIP=coalesce('Client_Address', IpAddress, src_ip)
| eval ActName=coalesce('Account_Name', AccountName, user)
| eval IsKerberoasting=if(
    EventCode=4769
    AND (TicketEncType="0x17" OR TicketEncType="0x18")
    AND NOT like(SvcName, "%$")
    AND SvcName!="krbtgt" AND SvcName!="kadmin/changepw"
    AND NOT (ClientIP="::1" OR ClientIP="127.0.0.1" OR ClientIP="-"), 1, 0)
| eval IsASREPRoasting=if(
    EventCode=4768
    AND (PreAuth="0" OR PreAuth="0x0")
    AND (TicketEncType="0x17" OR TicketEncType="0x18"), 1, 0)
| eval IsGoldenTicketIndicator=if(
    EventCode=4768
    AND (TicketEncType="0x17" OR TicketEncType="0x18")
    AND NOT (ClientIP="::1" OR ClientIP="127.0.0.1" OR ClientIP="-"), 1, 0)
| eval IsKerberosTool=if(
    EventCode=1
    AND match(lower(CommandLine),
      "(rubeus|kerberoast|asreproast|getuserspns|getnpusers|sekurlsa::tickets|kerberos::golden|kerberos::silver|kerberos::ptt|kirbi|ticketer\.py|tgtdeleg)"), 1, 0)
| eval TotalScore=IsKerberoasting + IsASREPRoasting + IsGoldenTicketIndicator + IsKerberosTool
| where TotalScore > 0
| eval AttackPattern=case(
    IsKerberosTool=1, "Kerberos Attack Tool",
    IsGoldenTicketIndicator=1 AND IsASREPRoasting=0, "Potential Golden Ticket (RC4 TGT)",
    IsASREPRoasting=1, "AS-REP Roasting",
    IsKerberoasting=1, "Kerberoasting",
    true(), "Kerberos Anomaly")
| eval Severity=case(
    IsKerberosTool=1 OR (IsGoldenTicketIndicator=1 AND IsASREPRoasting=0), "Critical",
    IsASREPRoasting=1 OR IsKerberoasting=1, "High",
    true(), "Medium")
| table _time, host, ActName, ClientIP, SvcName, TicketEncType, PreAuth, EventCode, AttackPattern, Severity, CommandLine
| sort - _time

high severity high confidence

Data Sources

Authentication: Authentication Active Directory: Active Directory Credential Request Process: Process Creation Windows Security Event Log Sysmon Event ID 1

Required Sourcetypes

WinEventLog:Security XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legacy applications negotiating RC4 for Kerberos due to compatibility requirements, including older Java-based applications and Linux clients with older krb5 libraries that prefer RC4 cipher suites
IT inventory and vulnerability scanning tools that enumerate service principal names as part of Active Directory discovery (Tenable Nessus, Qualys, CyberArk Vault)
Monitoring and backup software service accounts (Veeam, CommVault, SolarWinds) with registered SPNs running on older server OS versions where RC4 remains the negotiated cipher
Mixed-mode domain environments with Windows Server 2008 R2 domain controllers that advertise RC4 support by default, causing 0x17 events during routine client authentication

IBM QRadar (AQL)

sql

-- Pattern 1: Kerberoasting — RC4 TGS requests
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS ClientIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  devicestring AS ServiceName,
  "Kerberoasting" AS AttackPattern,
  "Critical" AS Severity
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%4769%'
  AND devicestring NOT LIKE '%$'
  AND devicestring NOT IN ('krbtgt', 'kadmin/changepw')
  AND sourceip NOT IN ('127.0.0.1', '::1', '-')
  AND LONG(categoryname(highlevelcategory)) > 0
  AND UTF8(databytes) LIKE '%0x17%'
  AND starttime > (CURRENT_TIMESTAMP - 86400000)

UNION ALL

-- Pattern 2: AS-REP Roasting — Pre-auth disabled TGT
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS ClientIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  devicestring AS ServiceName,
  'AS-REP Roasting' AS AttackPattern,
  'High' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%4768%'
  AND UTF8(databytes) LIKE '%Pre-Authentication Type:%0%'
  AND (UTF8(databytes) LIKE '%0x17%' OR UTF8(databytes) LIKE '%0x18%')
  AND sourceip NOT IN ('127.0.0.1', '::1', '-')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)

UNION ALL

-- Pattern 3: Kerberos attack tool process execution (Sysmon Event ID 1)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS ClientIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  UTF8(databytes) AS CommandLine,
  'Kerberos Attack Tool' AS AttackPattern,
  'Critical' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%1%'
  AND (
    LOWER(UTF8(databytes)) LIKE '%rubeus%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberoast%'
    OR LOWER(UTF8(databytes)) LIKE '%asreproast%'
    OR LOWER(UTF8(databytes)) LIKE '%getuserspns%'
    OR LOWER(UTF8(databytes)) LIKE '%getnpusers%'
    OR LOWER(UTF8(databytes)) LIKE '%sekurlsa::tickets%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberos::golden%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberos::silver%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberos::ptt%'
    OR LOWER(UTF8(databytes)) LIKE '%.kirbi%'
    OR LOWER(UTF8(databytes)) LIKE '%ticketer.py%'
    OR LOWER(UTF8(databytes)) LIKE '%tgtdeleg%'
  )
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY EventTime DESC

critical severity medium confidence

Data Sources

Windows Security Event Log via QRadar WinCollect or Syslog Microsoft Windows Sysmon via QRadar DSM

Required Tables

events

False Positives

Legacy Windows clients (XP/2003 era) that only support RC4 will trigger RC4-based detections even in modern environments where they remain for compatibility
Service accounts with SPNs that run scheduled batch jobs may generate multiple 4769 events in short succession
Mixed-mode AD environments during RC4-to-AES migration phase will produce elevated baseline of RC4 TGS requests
Security scanning tools or AD health check utilities that enumerate SPNs

Sumo Logic CSE

sql

// T1558: Steal or Forge Kerberos Tickets — Sumo Logic CSE
// Source: Windows Security Event Log + Sysmon

(_sourceCategory="*WinEventLog*" OR _sourceCategory="*windows*security*" OR _sourceCategory="*sysmon*")
| where EventCode in ("4768", "4769", "4771") or (EventCode = "1" and (
    CommandLine matches "(?i).*rubeus.*" or
    CommandLine matches "(?i).*kerberoast.*" or
    CommandLine matches "(?i).*asreproast.*" or
    CommandLine matches "(?i).*getuserspns.*" or
    CommandLine matches "(?i).*getnpusers.*" or
    CommandLine matches "(?i).*sekurlsa::tickets.*" or
    CommandLine matches "(?i).*kerberos::golden.*" or
    CommandLine matches "(?i).*kerberos::silver.*" or
    CommandLine matches "(?i).*kerberos::ptt.*" or
    CommandLine matches "(?i).*\.kirbi.*" or
    CommandLine matches "(?i).*ticketer\.py.*" or
    CommandLine matches "(?i).*tgtdeleg.*"
  )
)
| parse field=Message "Ticket Encryption Type:\t*" as TicketEncType nodrop
| parse field=Message "Service Name:\t*" as ServiceName nodrop
| parse field=Message "Pre-Authentication Type:\t*" as PreAuthType nodrop
| parse field=Message "Client Address:\t*" as ClientIP nodrop
| parse field=Message "Account Name:\t*" as AccountName nodrop
| if(isEmpty(ClientIP), src_ip, ClientIP) as ClientIP
| if(isEmpty(AccountName), user, AccountName) as AccountName
// Score each event
| eval IsKerberoasting = if(
    EventCode = "4769"
    and (TicketEncType = "0x17" or TicketEncType = "0x18")
    and !(ServiceName matches ".*\$")
    and !(ServiceName in ("krbtgt","kadmin/changepw"))
    and !(ClientIP in ("::1","127.0.0.1","-")),
    1, 0)
| eval IsASREPRoasting = if(
    EventCode = "4768"
    and (PreAuthType = "0" or PreAuthType = "0x0")
    and (TicketEncType = "0x17" or TicketEncType = "0x18"),
    1, 0)
| eval IsGoldenTicket = if(
    EventCode = "4768"
    and (TicketEncType = "0x17" or TicketEncType = "0x18")
    and !(ClientIP in ("::1","127.0.0.1","-")),
    1, 0)
| eval IsKerberosTool = if(EventCode = "1", 1, 0)
| eval TotalScore = IsKerberoasting + IsASREPRoasting + IsGoldenTicket + IsKerberosTool
| where TotalScore > 0
| eval AttackPattern = if(IsKerberosTool = 1, "Kerberos Attack Tool",
    if(IsGoldenTicket = 1 and IsASREPRoasting = 0, "Potential Golden Ticket (RC4 TGT)",
    if(IsASREPRoasting = 1, "AS-REP Roasting",
    if(IsKerberoasting = 1, "Kerberoasting", "Kerberos Anomaly"))))
| eval Severity = if(IsKerberosTool = 1 or (IsGoldenTicket = 1 and IsASREPRoasting = 0), "Critical",
    if(IsASREPRoasting = 1 or IsKerberoasting = 1, "High", "Medium"))
| fields _messageTime, _sourceHost, AccountName, ClientIP, ServiceName, TicketEncType, PreAuthType, EventCode, AttackPattern, Severity, CommandLine
| sort by _messageTime desc

critical severity high confidence

Data Sources

Sumo Logic Windows Collection Agent (WinEventLog:Security) Sumo Logic Sysmon Collection (Sysmon Operational Log)

Required Tables

Windows Security Event Log source Sysmon Operational source

False Positives

Windows hosts running legacy software that requires RC4 (DES/RC4) Kerberos encryption will generate false positives for EventID 4769 with 0x17
Automated service account testing or identity governance tools that enumerate SPNs as part of access certification
ITSM or monitoring platforms that authenticate to AD services using legacy Kerberos configurations
Authorized red team exercises — correlate with change management records

Google Chronicle / SecOps

yaral

rule t1558_steal_forge_kerberos_tickets {
  meta:
    author = "Detection Engineering"
    description = "Detects T1558 Steal or Forge Kerberos Tickets: Kerberoasting, AS-REP Roasting, Golden Ticket, and Kerberos attack tool execution"
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558"
    mitre_attack_sub_techniques = "T1558.001, T1558.002, T1558.003, T1558.004"
    severity = "CRITICAL"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1558/"
    created = "2026-01-01"
    version = "1.0"

  events:
    (
      // Pattern 1 & 2 & 3: Kerberos protocol anomalies (4768/4769)
      $e.metadata.event_type = "USER_RESOURCE_ACCESS"
      and $e.metadata.product_event_type in ("4768", "4769")
      and (
        // Kerberoasting: RC4 TGS request for service account
        (
          $e.metadata.product_event_type = "4769"
          and $e.target.resource.attribute.labels["ticket_encryption_type"] in ("0x17", "0x18")
          and not re.regex($e.target.resource.name, `.*\$$`)
          and not $e.target.resource.name in ("krbtgt", "kadmin/changepw")
          and not $e.principal.ip in ("::1", "127.0.0.1", "-")
        )
        or
        // AS-REP Roasting: Pre-auth disabled TGT
        (
          $e.metadata.product_event_type = "4768"
          and $e.target.resource.attribute.labels["pre_authentication_type"] = "0"
          and $e.target.resource.attribute.labels["ticket_encryption_type"] in ("0x17", "0x18")
        )
        or
        // Golden Ticket indicator: RC4 TGT in AES-enforced domain
        (
          $e.metadata.product_event_type = "4768"
          and $e.target.resource.attribute.labels["ticket_encryption_type"] in ("0x17", "0x18")
          and not $e.principal.ip in ("::1", "127.0.0.1", "-")
        )
      )
    )
    or
    (
      // Pattern 4: Kerberos attack tool process execution
      $e.metadata.event_type = "PROCESS_LAUNCH"
      and (
        re.regex($e.target.process.command_line, `(?i)(rubeus|kerberoast|asreproast|getuserspns|getnpusers|sekurlsa::tickets|kerberos::golden|kerberos::silver|kerberos::ptt|\.kirbi|ticketer\.py|tgtdeleg|kekeo)`)
        or $e.target.process.file.full_path matches "/(?i)(rubeus\.exe|kekeo\.exe)$/"
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle UDM (Windows Security Events via Forwarder or API ingestion) Chronicle UDM (Sysmon or EDR process telemetry)

Required Tables

UDM Events (user_resource_access, process_launch)

False Positives

Organizations with AD mixed-mode environments still supporting legacy RC4 encryption will see elevated 4769 RC4 events from legitimate clients
IT automation tools using service accounts with SPNs for scheduled tasks may generate Kerberoasting-like patterns
Domain admin activity during AD migrations or security assessments that involve SPN enumeration
Authorized penetration tests — no suppression by default, correlate with approved test windows

CrowdStrike LogScale (CQL)

cql

// T1558: Steal or Forge Kerberos Tickets — CrowdStrike LogScale (Falcon CQL)
// Pattern 1 & 2: Kerberos protocol anomalies via Windows Security Event telemetry
// (Requires Windows Security Event log collection enabled in Falcon sensor)

#event_simpleName = "WindowsSecurityEvent"
| EventCode in (4768, 4769)
| TicketEncryptionType in ("0x17", "0x18")
| (
    // Kerberoasting: RC4 service ticket for non-machine account
    (
      EventCode = 4769
      | ServiceName != /.*\$$/
      | ServiceName != /^(krbtgt|kadmin\/changepw)$/i
      | ClientAddress != /^(::1|127\.0\.0\.1|-)$/
      | Status = "0x0"
      | AttackPattern := "Kerberoasting"
      | Severity := "Critical"
    )
    or
    // AS-REP Roasting: pre-auth disabled TGT
    (
      EventCode = 4768
      | PreAuthType in ("0", "0x0")
      | AttackPattern := "AS-REP Roasting"
      | Severity := "High"
    )
    or
    // Golden Ticket indicator: RC4 TGT
    (
      EventCode = 4768
      | ClientAddress != /^(::1|127\.0\.0\.1|-)$/
      | AttackPattern := "Potential Golden Ticket (RC4 TGT)"
      | Severity := "Critical"
    )
  )
| table([timestamp, ComputerName, TargetUserName, ClientAddress, ServiceName, TicketEncryptionType, PreAuthType, EventCode, AttackPattern, Severity])

// Pattern 3: Kerberos attack tool process execution via Falcon EDR
| union {
    #event_simpleName = ProcessRollup2
    | CommandLine = /(?i)(rubeus|kerberoast|asreproast|getuserspns|getnpusers|sekurlsa::tickets|kerberos::golden|kerberos::silver|kerberos::ptt|\.kirbi|ticketer\.py|tgtdeleg|kekeo)/
        OR ImageFileName = /(?i)(rubeus\.exe|kekeo\.exe)$/
    | AttackPattern := "Kerberos Attack Tool"
    | Severity := "Critical"
    | table([timestamp, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, AttackPattern, Severity])
  }
| sort(timestamp, order=desc)

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2 events) CrowdStrike Falcon Windows Event Log collection (WindowsSecurityEvent)

Required Tables

WindowsSecurityEvent ProcessRollup2

False Positives

Falcon sensors with Windows Security Event log collection disabled will only see the ProcessRollup2 tool detections, missing protocol-level patterns
Legacy systems in the environment that still use RC4 Kerberos will generate persistent low-level noise on 4769 events with 0x17
Automated SPN scanning by AD management tools (e.g., Microsoft ATA/Defender for Identity during initial learning phase) can resemble Kerberoasting patterns
Authorized offensive security testing using tools like Rubeus in named red team exercises — correlate ContextProcessId with approved test timeframes

Last updated: 2026-04-13 Research depth: deep

References (13)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1558 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Steal or Forge Kerberos Tickets

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Sub-techniques (5)

Same Tactic: Credential Access

Popular Detections