T1558.002

Silver Ticket

Adversaries who have obtained the NTLM password hash of a target service account may forge Kerberos Ticket Granting Service (TGS) tickets, known as silver tickets. Silver tickets are more limited in scope than golden tickets — they only grant access to a specific service on a specific host — but are significantly harder to detect because they bypass the Key Distribution Center (KDC) entirely, generating no KDC-side authentication logs. Service account hashes are typically obtained via OS Credential Dumping (T1003) or Kerberoasting (T1558.003). Common tooling includes Mimikatz (kerberos::silver), Rubeus (silver), and Empire/Invoke-Mimikatz. AADInternals can forge tickets using the AZUREADSSOACC account hash to attack Azure AD Seamless SSO.

Microsoft Sentinel / Defender

kusto

// =====================================================================
// Silver Ticket Detection — Method 1: Attacker Tool Execution
// Detects Mimikatz, Rubeus, and PowerShell wrappers creating silver tickets
// =====================================================================
let SilverTicketToolDetection = DeviceProcessEvents
| where Timestamp > ago(24h)
| where
    // Mimikatz direct execution — kerberos module
    (FileName in~ ("mimikatz.exe", "mimikatz64.exe")
     and ProcessCommandLine has_any ("kerberos::silver", "kerberos::ptt", "sekurlsa::tickets", "/ptt"))
    // PowerShell Invoke-Mimikatz silver ticket
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any ("Invoke-Mimikatz", "Invoke-Kerberoast")
        and ProcessCommandLine has_any ("silver", "kerberos::ptt", "/ptt", "/target:", "/rc4:", "/aes256:"))
    // Rubeus silver ticket and pass-the-ticket (direct or reflective)
    or (FileName =~ "rubeus.exe"
        and ProcessCommandLine has_any ("silver", "s4u", "ptt", "/ticket:", "asktgs", "createnetonly"))
    // Rubeus invoked from PowerShell (reflective load or inline)
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has "rubeus"
        and ProcessCommandLine has_any ("silver", "/ticket:", "ptt", "/service:", "/target:", "/rc4:"))
    // AADInternals AZUREADSSOACC silver ticket for Azure AD SSO
    or (FileName in~ ("powershell.exe", "pwsh.exe")
        and ProcessCommandLine has_any ("New-AADIntKerberosTicket", "AZUREADSSOACC", "kerberos::golden") 
        and ProcessCommandLine has_any ("AZUREADSSOACC", "aadsso", "seamlesssso"))
| extend ToolUsed = case(
    FileName in~ ("mimikatz.exe", "mimikatz64.exe"), "Mimikatz",
    ProcessCommandLine has "invoke-mimikatz", "Invoke-Mimikatz (PowerShell)",
    ProcessCommandLine has "new-aadintkerberosticket", "AADInternals",
    FileName =~ "rubeus.exe" or ProcessCommandLine has "rubeus", "Rubeus",
    FileName in~ ("powershell.exe", "pwsh.exe"), "PowerShell Kerberos Wrapper",
    "Unknown"
  )
| extend AttackPhase = case(
    ProcessCommandLine has "kerberos::silver", "Silver Ticket Forge",
    ProcessCommandLine has_any ("kerberos::ptt", "/ptt"), "Pass-the-Ticket Injection",
    ProcessCommandLine has "sekurlsa::tickets", "Ticket Enumeration",
    ProcessCommandLine has_any ("s4u", "asktgs"), "Service Ticket Request (S4U/TGS)",
    ProcessCommandLine has "createnetonly", "Process Spawning for PTT",
    "Ticket Operation"
  )
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
          InitiatingProcessFileName, InitiatingProcessCommandLine,
          ToolUsed, AttackPhase;
// =====================================================================
// Silver Ticket Detection — Method 2: Kerberos RC4 Downgrade Anomaly
// RC4 (0x17) is Mimikatz default for silver tickets without /aes256.
// Silver tickets bypass the KDC entirely — this catches precursor Kerberoasting
// and misconfigured forged tickets visible in DC logs from other activity.
// =====================================================================
let KerberosRC4Anomaly = SecurityEvent
| where TimeGenerated > ago(24h)
| where EventID == 4769
| extend ServiceName = extract(@'<Data Name="ServiceName">([^<]+)<', 1, EventData)
| extend TicketEncryptionType = extract(@'<Data Name="TicketEncryptionType">([^<]+)<', 1, EventData)
| extend TargetUserName = extract(@'<Data Name="TargetUserName">([^<]+)<', 1, EventData)
| extend ClientAddress = extract(@'<Data Name="IpAddress">([^<]+)<', 1, EventData)
| extend TicketOptions = extract(@'<Data Name="TicketOptions">([^<]+)<', 1, EventData)
| extend Status = extract(@'<Data Name="Status">([^<]+)<', 1, EventData)
// RC4_HMAC_MD5 = 0x17 (Mimikatz default), RC4_HMAC_MD5_EXP = 0x18 (obsolete)
| where TicketEncryptionType in ("0x17", "0x18")
| where ServiceName !endswith "$" and ServiceName !in~ ("krbtgt", "UNKNOWN", "-")
| where TargetUserName !endswith "$" and TargetUserName !in ("-", "ANONYMOUS LOGON")
| extend EncryptionLabel = iff(TicketEncryptionType == "0x17",
    "RC4-HMAC-MD5 (Mimikatz/Rubeus Default)",
    "RC4-HMAC-MD5-EXP (Obsolete, High Risk)")
| extend IsHighValueSPN = ServiceName has_any (
    "CIFS", "cifs", "HTTP", "http", "MSSQLSvc", "mssql",
    "HOST", "RPCSS", "wsman", "WSMAN", "LDAP", "ldap", "TERMSRV", "GC", "gc")
| project TimeGenerated, Computer, TargetUserName, ServiceName, EncryptionLabel,
          ClientAddress, IsHighValueSPN, TicketOptions, Status;
// Union both detection methods
union
  (SilverTicketToolDetection
   | project Timestamp, DeviceName, AccountName,
             DetectionMethod = "Tool Execution",
             Details = strcat(ToolUsed, " — ", AttackPhase, " | cmd: ", ProcessCommandLine),
             RiskLevel = "Critical"),
  (KerberosRC4Anomaly
   | project Timestamp = TimeGenerated,
             DeviceName = Computer,
             AccountName = TargetUserName,
             DetectionMethod = "Kerberos RC4 Anomaly",
             Details = strcat(EncryptionLabel, " | SPN: ", ServiceName,
                 " | src: ", ClientAddress, " | HighValue: ", tostring(IsHighValueSPN)),
             RiskLevel = "High")
| sort by Timestamp desc

critical severity medium confidence

Data Sources

Process: Process Creation Active Directory: Active Directory Credential Request Logon Session: Logon Session Metadata Microsoft Defender for Endpoint Windows Security Event Log

Required Tables

DeviceProcessEvents SecurityEvent

False Positives

Authorized red team, penetration testing, or purple team exercises using Mimikatz or Rubeus in controlled lab environments with explicit change ticket authorization
Legacy Windows environments or applications (Windows Server 2003/2008-era services, SAP, Oracle EBS, older IBM middleware) that do not support AES Kerberos and legitimately require RC4 encryption for service tickets
SQL Server clusters, IIS application pools, or third-party enterprise applications using service accounts configured for RC4 Kerberos due to application compatibility constraints or missing AES keytab updates
Security validation platforms (Cymulate, AttackIQ, SafeBreach, Vectr) that execute Mimikatz or Rubeus as part of scheduled adversary emulation assessments

Splunk

spl

| union
[
  search index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
  (
    (Image="*\\mimikatz.exe" OR Image="*\\mimikatz64.exe")
    OR (Image="*\\rubeus.exe")
    OR ((Image="*\\powershell.exe" OR Image="*\\pwsh.exe")
        AND (CommandLine="*invoke-mimikatz*" OR CommandLine="*invoke-kerberoast*" OR CommandLine="*rubeus*")
        AND (CommandLine="*silver*" OR CommandLine="*kerberos::ptt*" OR CommandLine="*/ptt*" OR CommandLine="*/target:*" OR CommandLine="*/rc4:*"))
  )
  AND (
    CommandLine="*kerberos::silver*" OR CommandLine="*kerberos::ptt*" OR CommandLine="*/ptt*"
    OR CommandLine="*silver*" OR CommandLine="*s4u*" OR CommandLine="*asktgs*"
    OR CommandLine="*sekurlsa::tickets*" OR CommandLine="*createnetonly*"
  )
  | eval DetectionMethod="Tool Execution"
  | eval ToolUsed=case(
      match(Image, "(?i)mimikatz"), "Mimikatz",
      match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)invoke-mimikatz"), "Invoke-Mimikatz",
      match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)invoke-kerberoast"), "Invoke-Kerberoast",
      match(Image, "(?i)rubeus"), "Rubeus",
      match(Image, "(?i)(powershell|pwsh)") AND match(CommandLine, "(?i)rubeus"), "Rubeus (PowerShell Loader)",
      1=1, "Unknown"
    )
  | eval AttackPhase=case(
      match(CommandLine, "(?i)kerberos::silver"), "Silver Ticket Forge",
      match(CommandLine, "(?i)(kerberos::ptt|/ptt)"), "Pass-the-Ticket Injection",
      match(CommandLine, "(?i)sekurlsa::tickets"), "Ticket Enumeration",
      match(CommandLine, "(?i)(s4u|asktgs)"), "Service Ticket Request",
      match(CommandLine, "(?i)createnetonly"), "Process Spawn for PTT",
      1=1, "Ticket Operation"
    )
  | eval RiskLevel="Critical"
  | table _time, host, User, Image, CommandLine, ParentImage, ParentCommandLine,
          DetectionMethod, ToolUsed, AttackPhase, RiskLevel
]
| append
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4769
    (Ticket_Encryption_Type="0x17" OR Ticket_Encryption_Type="0x18")
    NOT (Service_Name="*$" OR Service_Name="krbtgt" OR Service_Name="UNKNOWN" OR Service_Name="-")
    NOT (Account_Name="*$" OR Account_Name="-" OR Account_Name="ANONYMOUS LOGON")
  | eval EncryptionLabel=case(
      Ticket_Encryption_Type=="0x17", "RC4-HMAC-MD5 (Mimikatz Default)",
      Ticket_Encryption_Type=="0x18", "RC4-HMAC-MD5-EXP (Obsolete)",
      1=1, "Unknown"
    )
  | eval IsHighValueSPN=if(
      match(Service_Name, "(?i)(cifs|http|mssqlsvc|host|rpcss|wsman|ldap|termsrv|gc/)"),
      "true", "false"
    )
  | eval DetectionMethod="Kerberos RC4 Anomaly"
  | eval RiskLevel="High"
  | table _time, host, Account_Name, Service_Name, EncryptionLabel,
          Client_Address, IsHighValueSPN, Ticket_Options, DetectionMethod, RiskLevel
]
| sort - _time

critical severity medium confidence

Data Sources

Process: Process Creation Active Directory: Active Directory Credential Request Sysmon Event ID 1 Windows Security Event ID 4769

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational WinEventLog:Security

False Positives

Authorized red team or penetration testing exercises using Mimikatz or Rubeus in controlled environments
Legacy applications requiring RC4 Kerberos encryption — particularly SQL Server clusters, SAP, Oracle, or older IIS deployments running on Windows Server 2008 or earlier
Environments that have not enforced AES-only Kerberos via GPO (Network Security: Configure encryption types allowed for Kerberos), where RC4 tickets are common baseline noise
Security validation platforms generating Mimikatz or Rubeus process events as part of scheduled adversary emulation runs

Elastic Security (EQL)

eql

any where
  /* Method 1: Silver ticket tool execution — Mimikatz, Rubeus, PowerShell wrappers */
  (
    event.category == "process" and event.type == "start"
    and (
      (
        process.name : ("mimikatz.exe", "mimikatz64.exe")
        and process.command_line : ("*kerberos::silver*", "*kerberos::ptt*", "*sekurlsa::tickets*", "*/ptt*")
      )
      or
      (
        process.name : "rubeus.exe"
        and process.command_line : ("*silver*", "*s4u*", "*ptt*", "*/ticket:*", "*asktgs*", "*createnetonly*")
      )
      or
      (
        process.name : ("powershell.exe", "pwsh.exe")
        and process.command_line : ("*invoke-mimikatz*", "*invoke-kerberoast*", "*rubeus*")
        and process.command_line : ("*silver*", "*kerberos::ptt*", "*/ptt*", "*/target:*", "*/rc4:*")
      )
      or
      (
        process.name : ("powershell.exe", "pwsh.exe")
        and process.command_line : ("*new-aadintkerberosticket*", "*azureadssoacc*")
        and process.command_line : ("*aadsso*", "*seamlesssso*", "*kerberos::golden*")
      )
    )
  )
  or
  /* Method 2: Kerberos RC4 downgrade — Windows Security Event 4769 */
  (
    event.code == "4769"
    and winlog.event_data.TicketEncryptionType : ("0x17", "0x18")
    and not winlog.event_data.ServiceName : ("*$", "krbtgt", "UNKNOWN", "-")
    and not winlog.event_data.TargetUserName : ("*$", "-", "ANONYMOUS LOGON")
  )

critical severity high confidence

Data Sources

Windows Endpoint via Elastic Agent (process events) Winlogbeat (Windows Security Event Log, Sysmon Operational)

Required Tables

logs-endpoint.events.process-* winlogbeat-* logs-system.security-*

False Positives

Legacy enterprise applications (SAP ABAP clients, MIT Kerberos on Linux, older Java GSSAPI implementations) configured to require RC4 Kerberos will generate Event 4769 with 0x17 continuously, producing high-volume false positives on the RC4 downgrade branch
Authorized red team or penetration testing engagements executing Mimikatz or Rubeus on enrolled endpoints will match all tool execution signatures — cross-reference with change management windows
PowerShell Kerberos administration scripts containing keywords such as 'silver', 's4u', or '/ptt' in parameter names, variable assignments, or comment blocks without performing malicious ticket operations

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  logsourcename(logsourceid) AS LogSource,
  username AS AccountName,
  sourceip AS SourceIP,
  eventid AS WindowsEventID,
  QIDNAME(qid) AS EventDescription,
  CASE
    WHEN eventid IN ('4688', '1') THEN 'Tool Execution'
    WHEN eventid = '4769'        THEN 'Kerberos RC4 Anomaly'
    ELSE 'Unknown'
  END AS DetectionMethod,
  CASE
    WHEN eventid IN ('4688', '1') THEN 'Critical'
    WHEN eventid = '4769'         THEN 'High'
    ELSE 'Unknown'
  END AS RiskLevel,
  UTF8(payload) AS RawPayload
FROM events
WHERE
  (
    /* Method 1: Silver ticket tool execution — Security 4688 or Sysmon 1 */
    (
      eventid IN ('4688', '1')
      AND (
        UTF8(payload) ILIKE '%mimikatz%'
        OR UTF8(payload) ILIKE '%rubeus.exe%'
        OR (
          (
            UTF8(payload) ILIKE '%powershell.exe%'
            OR UTF8(payload) ILIKE '%pwsh.exe%'
          )
          AND (
            UTF8(payload) ILIKE '%invoke-mimikatz%'
            OR UTF8(payload) ILIKE '%kerberos::silver%'
            OR UTF8(payload) ILIKE '%rubeus%'
            OR UTF8(payload) ILIKE '%new-aadintkerberosticket%'
          )
        )
      )
      AND (
        UTF8(payload) ILIKE '%kerberos::silver%'
        OR UTF8(payload) ILIKE '%kerberos::ptt%'
        OR UTF8(payload) ILIKE '% /ptt%'
        OR UTF8(payload) ILIKE '%silver%'
        OR UTF8(payload) ILIKE '% s4u%'
        OR UTF8(payload) ILIKE '%asktgs%'
        OR UTF8(payload) ILIKE '%sekurlsa::tickets%'
        OR UTF8(payload) ILIKE '%createnetonly%'
      )
    )
    OR
    /* Method 2: Kerberos RC4 downgrade — Security Event 4769 */
    (
      eventid = '4769'
      AND (
        UTF8(payload) ILIKE '%<Data Name="TicketEncryptionType">0x17%'
        OR UTF8(payload) ILIKE '%<Data Name="TicketEncryptionType">0x18%'
      )
      AND UTF8(payload) NOT ILIKE '%<Data Name="ServiceName">krbtgt%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="ServiceName">UNKNOWN%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="ServiceName">-%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="TargetUserName">-%'
      AND UTF8(payload) NOT ILIKE '%<Data Name="TargetUserName">ANONYMOUS LOGON%'
    )
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

critical severity high confidence

Data Sources

Windows Security Event Log (via Microsoft Windows Security Event Log DSM) Microsoft Sysmon Operational Log (via Microsoft Sysmon DSM)

Required Tables

events

False Positives

Legacy domain-joined servers and applications requiring RC4 Kerberos encryption (e.g., older SQL Server linked servers, Samba file shares configured without AES, NFS Kerberos mounts) will continuously generate Event 4769 with 0x17 at scale
Authorized penetration testing engagements using Mimikatz or Rubeus with proper change management will match all tool execution signatures — filter by change window or authorized source IP ranges
Software deployment or SCCM pipelines that stage or scan Mimikatz binaries during EDR evaluation or AV testing phases on Windows endpoints

Sumo Logic CSE

sql

(_sourceCategory="Windows/Security" OR _sourceCategory="Windows/Sysmon")
| parse "EventID=*" as event_id nodrop
| parse "EventCode=*" as event_code nodrop
| if (!isNull(event_code), event_code, event_id) as event_id
| where event_id in ("1", "4688", "4769")
| parse field=_raw "Image=*\n" as Image nodrop
| parse field=_raw "CommandLine=*\n" as CommandLine nodrop
| parse field=_raw "ParentImage=*\n" as ParentImage nodrop
| parse field=_raw "AccountName=*\n" as AccountName nodrop
| parse field=_raw "ServiceName=*\n" as ServiceName nodrop
| parse field=_raw "TicketEncryptionType=*\n" as EncryptionType nodrop
| parse field=_raw "IpAddress=*\n" as ClientAddress nodrop
| parse field=_raw "Computer=*\n" as DeviceName nodrop
| where
  (
    /* Method 1: Silver ticket tool execution */
    event_id in ("1", "4688")
    and (
      matches(toLowerCase(Image), ".*mimikatz.*")
      or matches(toLowerCase(Image), ".*rubeus\\.exe")
      or (
        matches(toLowerCase(Image), ".*(powershell|pwsh)\\.exe")
        and (
          matches(toLowerCase(CommandLine), ".*invoke-mimikatz.*")
          or matches(toLowerCase(CommandLine), ".*kerberos::silver.*")
          or matches(toLowerCase(CommandLine), ".*rubeus.*")
          or matches(toLowerCase(CommandLine), ".*new-aadintkerberosticket.*")
        )
      )
    )
    and (
      matches(toLowerCase(CommandLine), ".*kerberos::silver.*")
      or matches(toLowerCase(CommandLine), ".*kerberos::ptt.*")
      or matches(toLowerCase(CommandLine), ".*\\/ptt.*")
      or matches(toLowerCase(CommandLine), ".*silver.*")
      or matches(toLowerCase(CommandLine), ".* s4u.*")
      or matches(toLowerCase(CommandLine), ".*asktgs.*")
      or matches(toLowerCase(CommandLine), ".*sekurlsa::tickets.*")
      or matches(toLowerCase(CommandLine), ".*createnetonly.*")
    )
  )
  or
  (
    /* Method 2: Kerberos RC4 downgrade — Event 4769 */
    event_id = "4769"
    and EncryptionType in ("0x17", "0x18")
    and !endsWith(ServiceName, "$")
    and !(ServiceName in ("krbtgt", "UNKNOWN", "-"))
    and !endsWith(AccountName, "$")
    and !(AccountName in ("-", "ANONYMOUS LOGON"))
  )
| if (event_id in ("1", "4688"), "Tool Execution", "Kerberos RC4 Anomaly") as DetectionMethod
| if (event_id in ("1", "4688"), "Critical", "High") as RiskLevel
| if (
    event_id = "4769",
    concat("enc=", EncryptionType, " spn=", ServiceName, " src=", ClientAddress),
    concat("img=", Image, " cmd=", CommandLine)
  ) as Details
| fields _messageTime, DeviceName, AccountName, DetectionMethod, RiskLevel, Details
| sort by _messageTime desc

critical severity high confidence

Data Sources

Windows Security Event Log Microsoft Sysmon Operational Log

Required Tables

_sourceCategory=Windows/Security _sourceCategory=Windows/Sysmon

False Positives

Windows environments with legacy Kerberos clients not migrated to AES (e.g., MIT Kerberos on Linux, Samba without AES support, embedded systems) will generate Event 4769 with 0x17 at high volume, saturating the RC4 anomaly branch
Authorized red team activity or scheduled penetration testing engagements using Mimikatz or Rubeus during assessment windows will match all process-based signatures
PowerShell automation scripts from IT operations that reference 'silver', 's4u', or '/ptt' in parameter names, help strings, or output-parsing variable assignments without executing malicious Kerberos operations

Google Chronicle / SecOps

yaral

rule t1558_002_silver_ticket {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects Silver Ticket attacks via Mimikatz/Rubeus/PowerShell tool execution (PROCESS_LAUNCH) and Kerberos RC4 downgrade (Event 4769). Covers AADInternals Azure AD SSO silver ticket variant."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.002"
    severity = "CRITICAL"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1558/002/"

  events:
    (
      /* Method 1a: Mimikatz or Rubeus direct binary execution */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and (
          re.regex($e.target.process.file.full_path, `(?i)(mimikatz(64)?\.exe$|rubeus\.exe$)`)
          or re.regex($e.principal.process.file.full_path, `(?i)(mimikatz(64)?\.exe$|rubeus\.exe$)`)
        )
        and re.regex($e.target.process.command_line, `(?i)(kerberos::silver|kerberos::ptt|\/ptt|sekurlsa::tickets|s4u|asktgs|createnetonly)`)
      )
      or
      /* Method 1b: PowerShell Invoke-Mimikatz / Rubeus loader / AADInternals */
      (
        $e.metadata.event_type = "PROCESS_LAUNCH"
        and re.regex($e.target.process.file.full_path, `(?i)(powershell|pwsh)\.exe$`)
        and re.regex($e.target.process.command_line, `(?i)(invoke-mimikatz|invoke-kerberoast|rubeus|new-aadintkerberosticket)`)
        and re.regex($e.target.process.command_line, `(?i)(silver|kerberos::ptt|\/ptt|\/target:|\/rc4:|azureadssoacc|seamlesssso)`)
      )
      or
      /* Method 2: Kerberos RC4 downgrade — Windows Security Event 4769 */
      /* TicketEncryptionType is mapped to extensions.auth.auth_details by the Chronicle */
      /* Windows Security Event Log parser; verify field mapping in your environment. */
      (
        $e.metadata.product_event_type = "4769"
        and (
          $e.extensions.auth.auth_details = "0x17"
          or $e.extensions.auth.auth_details = "0x18"
        )
        and not re.regex($e.target.resource.name, `.*\$$`)
        and $e.target.resource.name != "krbtgt"
        and $e.target.resource.name != "UNKNOWN"
        and $e.target.resource.name != "-"
        and not re.regex($e.principal.user.userid, `.*\$$`)
        and $e.principal.user.userid != "-"
      )
    )

  condition:
    $e
}

critical severity high confidence

Data Sources

Chronicle Windows Forwarder (process events via Sysmon or Endpoint) Chronicle Windows Security Event Log ingestion (Event 4769)

Required Tables

UDM PROCESS_LAUNCH events UDM USER_RESOURCE_ACCESS events (product_event_type=4769)

False Positives

Services using Kerberos constrained delegation (S4U2Self/S4U2Proxy) in .NET middleware, IIS application pools, or Java application servers will generate PROCESS_LAUNCH events with 's4u' in command-line arguments
RC4 Kerberos encryption (0x17) from legacy domain clients not yet migrated to AES encryption types (Windows XP/Server 2003 era, some embedded control systems, or misconfigured GPO environments) will generate Event 4769 continuously at high volume
Internal security teams running detection validation or YARA/sigma rule testing frameworks that reference Mimikatz or Kerberos attack terminology in test string literals or rule comments

CrowdStrike LogScale (CQL)

cql

// Silver Ticket Detection — CrowdStrike Falcon LogScale (CQL)
// Method 1: Tool Execution via ProcessRollup2
// NOTE: CrowdStrike EDR does not ingest Windows Security Event 4769.
// Silver tickets bypass the KDC entirely — no DC-side ticket issuance log is generated.
// Complement this query with Falcon Identity Protection for Kerberos anomaly coverage.

#event_simpleName=ProcessRollup2
| FileName=/(?i)(mimikatz(64)?\.exe$|rubeus\.exe$)/
  OR (
    FileName=/(?i)(powershell|pwsh)\.exe$/
    AND CommandLine=/(?i)(invoke-mimikatz|invoke-kerberoast|rubeus|new-aadintkerberosticket)/
    AND CommandLine=/(?i)(silver|kerberos::ptt|\/ptt|\/target:|\/rc4:|azureadssoacc)/
  )
| CommandLine=/(?i)(kerberos::silver|kerberos::ptt|\/ptt|silver| s4u |asktgs|sekurlsa::tickets|createnetonly)/
| ToolUsed := case {
    FileName=/(?i)mimikatz/ | "Mimikatz";
    FileName=/(?i)rubeus\.exe$/ | "Rubeus";
    FileName=/(?i)(powershell|pwsh)\.exe$/ AND CommandLine=/(?i)invoke-mimikatz/ | "Invoke-Mimikatz (PowerShell)";
    FileName=/(?i)(powershell|pwsh)\.exe$/ AND CommandLine=/(?i)new-aadintkerberosticket/ | "AADInternals";
    FileName=/(?i)(powershell|pwsh)\.exe$/ AND CommandLine=/(?i)rubeus/ | "Rubeus (PowerShell Loader)";
    * | "Unknown"
  }
| AttackPhase := case {
    CommandLine=/(?i)kerberos::silver/ | "Silver Ticket Forge";
    CommandLine=/(?i)(kerberos::ptt|\/ptt)/ | "Pass-the-Ticket Injection";
    CommandLine=/(?i)sekurlsa::tickets/ | "Ticket Enumeration";
    CommandLine=/(?i)(s4u|asktgs)/ | "Service Ticket Request (S4U/TGS)";
    CommandLine=/(?i)createnetonly/ | "Process Spawn for PTT";
    * | "Ticket Operation"
  }
| DetectionMethod := "Tool Execution"
| RiskLevel := "Critical"
| table(
    [_time, ComputerName, UserName, FileName, CommandLine, ParentBaseFileName, ParentCommandLine, ToolUsed, AttackPhase, DetectionMethod, RiskLevel],
    sortby=_time,
    order=desc
  )

critical severity high confidence

Data Sources

CrowdStrike Falcon EDR (ProcessRollup2, SyntheticProcessRollup2) CrowdStrike Falcon Identity Protection (Kerberos anomaly complement — separate data stream)

Required Tables

ProcessRollup2 SyntheticProcessRollup2

False Positives

Authorized red team or penetration testing engagements running Mimikatz or Rubeus on Falcon-enrolled endpoints within assessment scope will match all signatures — cross-reference ComputerName and timestamp against open change management records
Internal EDR testing pipelines or malware sandboxes connected to the production Falcon CID that execute Mimikatz-family binaries for signature validation, AV evasion testing, or detection engineering workflows
PowerShell IT operations scripts that include the strings 's4u', '/ptt', or 'silver' in parameter names, function names, inline help, or output-parsing patterns (e.g., wrappers around klist.exe or Kerberos delegation auditing tools)

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1558.002 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden Ticket T1558.003Kerberoasting T1558.004AS-REP Roasting T1558.005Ccache Files

Silver Ticket

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections