T1558.005

Ccache Files

Adversaries may attempt to steal Kerberos tickets stored in credential cache (ccache) files. These files store short-lived Kerberos session credentials created at authentication, enabling access to network services without re-entering passwords. On Linux, ccache files are typically located in /tmp with names in the format krb5cc_<UID> or krb5.ccache; storage is governed by the KRB5CCNAME environment variable and /etc/krb5.conf. On macOS, ccache entries are held in memory under an API:{uuid} naming scheme, accessible via lower-level Kerberos framework APIs. Adversaries steal these files and replay tickets to authenticate as the victim without knowing their password (Pass the Ticket). Impacket tools including getST.py, getTGT.py, and ticketer.py are commonly used to programmatically interact with ccache files. Kekeo can convert ccache files to Windows kirbi format for reuse on Windows systems, enabling cross-platform lateral movement. Real-world usage includes APT groups operating in Active Directory environments with Linux-integrated systems.

Microsoft Sentinel / Defender

kusto

let LegitKerbProcesses = dynamic(["kinit", "klist", "kdestroy", "kgetcred", "sssd", "krb5kdc", "kadmind", "sshd", "login", "su", "sudo", "gdm", "lightdm", "pamtester", "pamtest"]);
let ImpacketKerbTools = dynamic(["getST.py", "getTGT.py", "ticketer.py", "getNTHash.py", "rbcd.py", "getServiceTicket.py", "getPac.py", "getUserSPNs.py"]);
let ExfilCommands = dynamic(["cp", "mv", "cat", "base64", "xxd", "tar", "scp", "rsync", "nc", "ncat", "curl", "wget", "dd"]);
// Branch 1: Unexpected processes accessing ccache files on disk
let SuspiciousCcacheFileAccess = DeviceFileEvents
    | where Timestamp > ago(24h)
    | where (FolderPath startswith "/tmp/" and FileName matches regex @"^krb5cc_[0-9]+$")
          or FileName =~ "krb5.ccache"
          or (FolderPath contains "/krb5" and FileName endswith ".ccache")
    | where InitiatingProcessFileName !in~ (LegitKerbProcesses)
    | project Timestamp, DeviceName, AccountName,
              AccessedPath = strcat(FolderPath, "/", FileName),
              ActionType,
              TriggerProcess = InitiatingProcessFileName,
              TriggerCommandLine = InitiatingProcessCommandLine,
              ParentProcess = InitiatingProcessParentFileName,
              DetectionType = "UnexpectedCcacheFileAccess";
// Branch 2: Impacket Kerberos tools or Python interacting with ccache ticket data
let ImpacketOrPythonKerb = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (ImpacketKerbTools)
          or (FileName in~ ("python", "python3", "python2")
              and ProcessCommandLine has_any ("CCache", "ccache", "krb5cc", "KRB5CCNAME", ".ccache"))
    | project Timestamp, DeviceName, AccountName,
              AccessedPath = "",
              ActionType = "ProcessExecution",
              TriggerProcess = FileName,
              TriggerCommandLine = ProcessCommandLine,
              ParentProcess = InitiatingProcessFileName,
              DetectionType = "ImpacketKerberosTool";
// Branch 3: Shell utilities referencing ccache file paths (staging or exfiltration)
let ShellCcacheAccess = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ (ExfilCommands)
    | where ProcessCommandLine matches regex @"krb5cc_[0-9]+"
          or ProcessCommandLine has "krb5.ccache"
    | project Timestamp, DeviceName, AccountName,
              AccessedPath = "",
              ActionType = "ProcessExecution",
              TriggerProcess = FileName,
              TriggerCommandLine = ProcessCommandLine,
              ParentProcess = InitiatingProcessFileName,
              DetectionType = "CcacheFileCopyOrExfiltration";
union SuspiciousCcacheFileAccess, ImpacketOrPythonKerb, ShellCcacheAccess
| sort by Timestamp desc

high severity medium confidence

Data Sources

File: File Access Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint (Linux agent) Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceFileEvents DeviceProcessEvents

False Positives

Backup agents (Bacula, Veeam for Linux, Amanda) that scan /tmp during filesystem-level backups will trigger Branch 1
Security scanning tools (Qualys, Tenable Nessus) performing file discovery across /tmp will generate false positives from Branch 1
Legitimate Python applications using the gssapi or krb5 Python libraries for service-to-service Kerberos authentication will trigger Branch 2 — common in Hadoop, Spark, and Kafka deployments
System administrators manually running klist followed by cp to clone ccache files for debugging Kerberos delegation or KDC trust issues
Automated CI/CD pipeline agents (Jenkins, GitLab Runner) that use Kerberos credentials for accessing internal NFS shares or Kerberized databases

Splunk

spl

index=linux sourcetype="linux_audit"
| eval _is_ccache_key = if(isnotnull(key) AND key="kerberos_ccache", 1, 0)
| eval _is_impacket = if(
    match(coalesce(exe, ""), "(getST|getTGT|ticketer|getNTHash|rbcd|getServiceTicket|getPac)[.]py$"), 1, 0)
| eval _is_python_kerb = if(
    match(coalesce(exe, ""), "python[0-9]?$") AND
    (match(_raw, "CCache") OR match(_raw, "krb5cc_") OR match(_raw, "KRB5CCNAME") OR match(_raw, "[.]ccache")), 1, 0)
| eval _is_copy_exfil = if(
    match(coalesce(exe, ""), "/(cp|mv|cat|base64|xxd|tar|scp|rsync|ncat?|curl|wget|dd)$") AND
    (match(_raw, "krb5cc_[0-9]+") OR match(_raw, "krb5[.]ccache")), 1, 0)
| where _is_ccache_key=1 OR _is_impacket=1 OR _is_python_kerb=1 OR _is_copy_exfil=1
| where NOT match(coalesce(exe, ""), "(kinit|klist|kdestroy|sssd|krb5kdc|kadmind|sshd|login)$")
| eval detection_type = case(
    _is_impacket=1, "ImpacketKerberosTool",
    _is_python_kerb=1, "PythonKerberosInteraction",
    _is_copy_exfil=1, "CcacheFileCopyOrExfiltration",
    _is_ccache_key=1, "CcacheFileAccess",
    true(), "KerberosActivityUnknown")
| table _time, host, uid, auid, exe, comm, key, name, pid, ppid, syscall, detection_type
| sort - _time

high severity medium confidence

Data Sources

Process: Process Creation File: File Access Linux auditd Splunk Add-on for Unix and Linux

Required Sourcetypes

linux_audit

False Positives

Backup agents performing filesystem-level scans of /tmp will generate ccache_key events if the auditd watch covers the full /tmp directory
Legitimate Python Kerberos applications (Hadoop ecosystem, MIT Kerberos bindings via gssapi library) performing routine ticket operations
Security scanners like Lynis or rkhunter that inspect /tmp contents as part of filesystem audits
Administrators running klist or manual ccache file operations during Kerberos troubleshooting sessions
Container orchestration systems (Kubernetes with Kerberos sidecar containers) that routinely renew and access ccache files for pod authentication

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  logsourcename(logsourceid) AS log_source,
  sourceip,
  username,
  "pid",
  "ppid",
  "exe",
  "comm",
  "syscall",
  "name" AS file_accessed,
  CASE
    WHEN REGEXP_MATCH(COALESCE("exe", ''), '(getST|getTGT|ticketer|getNTHash|rbcd|getServiceTicket|getPac|getUserSPNs)[.]py$') THEN 'ImpacketKerberosTool'
    WHEN REGEXP_MATCH(COALESCE("exe", ''), 'python[0-9]?$') AND (TEXT ILIKE '%CCache%' OR TEXT ILIKE '%krb5cc_%' OR TEXT ILIKE '%KRB5CCNAME%' OR TEXT ILIKE '%.ccache%') THEN 'PythonKerberosInteraction'
    WHEN REGEXP_MATCH(COALESCE("exe", ''), '/(cp|mv|cat|base64|xxd|tar|scp|rsync|ncat?|curl|wget|dd)$') AND (TEXT ILIKE '%krb5cc_%' OR TEXT ILIKE '%krb5.ccache%') THEN 'CcacheFileCopyOrExfiltration'
    WHEN "key" = 'kerberos_ccache' THEN 'CcacheFileAccess'
    ELSE 'KerberosActivityUnknown'
  END AS detection_type
FROM events
WHERE
  LOGSOURCETYPENAME(devicetype) ILIKE '%linux%'
  AND starttime > NOW() - 86400000
  AND (
    /* Impacket tools */
    REGEXP_MATCH(COALESCE("exe", ''), '(getST|getTGT|ticketer|getNTHash|rbcd|getServiceTicket|getPac|getUserSPNs)[.]py$')
    OR
    /* Python Kerberos interaction */
    (
      REGEXP_MATCH(COALESCE("exe", ''), 'python[0-9]?$') AND
      (TEXT ILIKE '%CCache%' OR TEXT ILIKE '%krb5cc_%' OR TEXT ILIKE '%KRB5CCNAME%' OR TEXT ILIKE '%.ccache%')
    )
    OR
    /* Copy/exfil commands referencing ccache paths */
    (
      REGEXP_MATCH(COALESCE("exe", ''), '/(cp|mv|cat|base64|xxd|tar|scp|rsync|ncat?|curl|wget|dd)$') AND
      (TEXT ILIKE '%krb5cc_%' OR TEXT ILIKE '%krb5.ccache%')
    )
    OR
    /* Auditd kerberos_ccache watch key */
    "key" = 'kerberos_ccache'
  )
  AND NOT REGEXP_MATCH(COALESCE("exe", ''), '(kinit|klist|kdestroy|sssd|krb5kdc|kadmind|sshd|login)$')
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

Linux Auditd via QRadar DSM QRadar Linux OS log source

Required Tables

events

False Positives

Automated configuration management tools (Ansible, Chef) running Python scripts that reference Kerberos environment variables during system configuration
SSSD or PAM Kerberos modules triggering auditd watch rules during normal user authentication flows
Backup software (Bacula, Amanda) using scp or rsync that coincidentally traverses /tmp and logs ccache file names in audit trails

Sumo Logic CSE

sql

// Branch 1: Auditd ccache file access watch key hits
(_sourceCategory=*linux*auditd* OR _sourceCategory=*auditd*)
| parse regex "key=\"(?<audit_key>[^\"]+)\""
| parse regex "exe=\"(?<exe>[^\"]+)\"" nodrop
| parse regex "comm=\"(?<comm>[^\"]+)\"" nodrop
| parse regex "name=\"(?<file_name>[^\"]+)\"" nodrop
| parse regex "pid=(?<pid>\d+)" nodrop
| parse regex "uid=(?<uid>\d+)" nodrop
| parse regex "hostname=(?<src_host>[^\s]+)" nodrop
| where audit_key = "kerberos_ccache"
  OR (exe matches "*getST*" OR exe matches "*getTGT*" OR exe matches "*ticketer*" OR exe matches "*getNTHash*" OR exe matches "*rbcd*")
  OR (
    (exe matches "*/python" OR exe matches "*/python2" OR exe matches "*/python3")
    AND (_raw matches "*CCache*" OR _raw matches "*krb5cc_*" OR _raw matches "*KRB5CCNAME*" OR _raw matches "*.ccache*")
  )
  OR (
    (exe matches "*/cp" OR exe matches "*/mv" OR exe matches "*/cat" OR exe matches "*/base64"
     OR exe matches "*/tar" OR exe matches "*/scp" OR exe matches "*/rsync" OR exe matches "*/curl"
     OR exe matches "*/wget" OR exe matches "*/nc" OR exe matches "*/ncat" OR exe matches "*/dd")
    AND (_raw matches "*krb5cc_*" OR _raw matches "*krb5.ccache*")
  )
| where !(exe matches "*/kinit" OR exe matches "*/klist" OR exe matches "*/kdestroy"
          OR exe matches "*/sssd" OR exe matches "*/krb5kdc" OR exe matches "*/kadmind"
          OR exe matches "*/sshd" OR exe matches "*/login")
| eval detection_type = if(exe matches "*(getST|getTGT|ticketer|getNTHash|rbcd|getServiceTicket|getPac|getUserSPNs)*",
    "ImpacketKerberosTool",
    if((exe matches "*/python*") AND (_raw matches "*CCache*" OR _raw matches "*krb5cc_*"),
      "PythonKerberosInteraction",
      if(audit_key = "kerberos_ccache",
        "CcacheFileAccess",
        "CcacheFileCopyOrExfiltration"
      )
    )
  )
| fields _messageTime, src_host, uid, pid, exe, comm, file_name, audit_key, detection_type
| sort by _messageTime desc

high severity medium confidence

Data Sources

Linux Auditd (via Sumo Logic installed collector) Syslog with auditd forwarding

Required Tables

_sourceCategory=*linux*auditd* _sourceCategory=*auditd*

False Positives

Kerberos-aware monitoring agents that enumerate /tmp for ccache files as part of health or credential expiry checks
CI/CD pipelines using Python and Kerberos authentication to access internal services, with KRB5CCNAME set in environment
SRE or ops tooling using scp or rsync to migrate home directories including /tmp symlinks or dot files referencing ccache paths

Google Chronicle / SecOps

yaral

rule t1558_005_ccache_file_theft {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects adversarial access to Kerberos ccache files on Linux/macOS systems. Covers Impacket tool execution, Python ccache manipulation, and shell-based exfiltration. Maps to MITRE ATT&CK T1558.005."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.005"
    severity = "HIGH"
    confidence = "HIGH"

  events:
    (
      /* Branch 1: File access to ccache paths by non-Kerberos processes */
      (
        $e.metadata.event_type = "FILE_OPEN" or
        $e.metadata.event_type = "FILE_READ" or
        $e.metadata.event_type = "FILE_COPY"
      ) and
      (
        re.regex($e.target.file.full_path, `/tmp/krb5cc_[0-9]+`) or
        $e.target.file.name = "krb5.ccache" or
        (
          re.regex($e.target.file.full_path, `.*/krb5/.*`) and
          re.regex($e.target.file.name, `.*\.ccache$`)
        )
      ) and
      not re.regex($e.principal.process.file.full_path,
        `.*(kinit|klist|kdestroy|kgetcred|sssd|krb5kdc|kadmind|sshd|login|sudo|gdm|lightdm|pamtester|pamtest)$`)
    ) or
    (
      /* Branch 2: Impacket Kerberos tool execution */
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      (
        re.regex($e.target.process.command_line,
          `(getST|getTGT|ticketer|getNTHash|rbcd|getServiceTicket|getPac|getUserSPNs)\.py`) or
        (
          re.regex($e.principal.process.file.full_path, `.*(python|python2|python3)$`) and
          (
            re.regex($e.target.process.command_line, `CCache`) or
            re.regex($e.target.process.command_line, `krb5cc_[0-9]+`) or
            re.regex($e.target.process.command_line, `KRB5CCNAME`) or
            re.regex($e.target.process.command_line, `\.ccache`)
          )
        )
      )
    ) or
    (
      /* Branch 3: Shell utilities exfiltrating ccache files */
      $e.metadata.event_type = "PROCESS_LAUNCH" and
      re.regex($e.principal.process.file.full_path,
        `.*(\bcp|\bmv|\bcat|\bbase64|\bxxd|\btar|\bscp|\brsync|\bnc|\bncat|\bcurl|\bwget|\bdd)$`) and
      (
        re.regex($e.target.process.command_line, `krb5cc_[0-9]+`) or
        re.regex($e.target.process.command_line, `krb5\.ccache`)
      )
    )

  condition:
    $e
}

high severity high confidence

Data Sources

Chronicle UDM (Unified Data Model) Google Chronicle Endpoint Telemetry Linux auditd via Chronicle forwarder

Required Tables

UDM Events (FILE_OPEN, FILE_READ, FILE_COPY, PROCESS_LAUNCH)

False Positives

Legitimate Kerberos ticket renewal tools or PAM modules that access ccache files during authentication — ensure exclusion list covers all site-specific auth daemons
Security scanning tools (Lynis, OpenSCAP) that enumerate /tmp for sensitive credential files as part of compliance audits
Container init systems or entrypoint scripts using Python with KRB5CCNAME environment variable set for Kerberos-authenticated service startup

CrowdStrike LogScale (CQL)

cql

// T1558.005 — Ccache File Theft Detection
// Branch 1: Impacket Kerberos tools executed
#event_simpleName=ProcessRollup2
| CommandLine = /getST\.py|getTGT\.py|ticketer\.py|getNTHash\.py|rbcd\.py|getServiceTicket\.py|getPac\.py|getUserSPNs\.py/
| groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
    function=[
      count(aid, as=event_count),
      min(ContextTimeStamp, as=first_seen),
      max(ContextTimeStamp, as=last_seen)
    ])
| eval detection_type="ImpacketKerberosTool"

// Branch 2: Python scripts referencing ccache credential data
| union [
  #event_simpleName=ProcessRollup2
  | FileName = /python[23]?$/
  | CommandLine = /CCache|krb5cc_[0-9]+|KRB5CCNAME|\.ccache/
  | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
      function=[
        count(aid, as=event_count),
        min(ContextTimeStamp, as=first_seen),
        max(ContextTimeStamp, as=last_seen)
      ])
  | eval detection_type="PythonKerberosInteraction"
]

// Branch 3: Shell/exfil utilities referencing ccache file paths
| union [
  #event_simpleName=ProcessRollup2
  | FileName = /^(cp|mv|cat|base64|xxd|tar|scp|rsync|nc|ncat|curl|wget|dd)$/
  | CommandLine = /krb5cc_[0-9]+|krb5\.ccache/
  | groupBy([ComputerName, UserName, FileName, CommandLine, ParentBaseFileName],
      function=[
        count(aid, as=event_count),
        min(ContextTimeStamp, as=first_seen),
        max(ContextTimeStamp, as=last_seen)
      ])
  | eval detection_type="CcacheFileCopyOrExfiltration"
]

// Branch 4: File writes or reads on ccache paths
| union [
  #event_simpleName IN (FileOpenInfo, FileWrittenInfo, NewExecutableWritten)
  | TargetFileName = /\/tmp\/krb5cc_[0-9]+|\/krb5\.ccache|\/krb5\/.*\.ccache/
  | ContextProcessName != /kinit|klist|kdestroy|sssd|krb5kdc|kadmind|sshd|login|sudo/
  | groupBy([ComputerName, UserName, ContextProcessName, TargetFileName],
      function=[
        count(aid, as=event_count),
        min(ContextTimeStamp, as=first_seen),
        max(ContextTimeStamp, as=last_seen)
      ])
  | eval detection_type="UnexpectedCcacheFileAccess"
]

| sort(last_seen, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Endpoint Protection Falcon ProcessRollup2 events Falcon FileOpenInfo / FileWrittenInfo events

Required Tables

ProcessRollup2 FileOpenInfo FileWrittenInfo NewExecutableWritten

False Positives

Red team or pentest tooling on authorized assessment hosts — Impacket is widely used by both attackers and defenders
DevOps automation scripts using Python with Kerberos authentication to access Hadoop, Kafka, or other Kerberized data infrastructure
System backup jobs (rsync, tar) that archive /tmp including ccache files as part of full filesystem snapshots before maintenance windows

Last updated: 2026-04-13 Research depth: deep

References (12)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1558.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden Ticket T1558.002Silver Ticket T1558.003Kerberoasting T1558.004AS-REP Roasting

Ccache Files

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections