T1558.005 Microsoft Sentinel · KQL

Detect Ccache Files in Microsoft Sentinel

Adversaries may attempt to steal Kerberos tickets stored in credential cache (ccache) files. These files store short-lived Kerberos session credentials created at authentication, enabling access to network services without re-entering passwords. On Linux, ccache files are typically located in /tmp with names in the format krb5cc_<UID> or krb5.ccache; storage is governed by the KRB5CCNAME environment variable and /etc/krb5.conf. On macOS, ccache entries are held in memory under an API:{uuid} naming scheme, accessible via lower-level Kerberos framework APIs. Adversaries steal these files and replay tickets to authenticate as the victim without knowing their password (Pass the Ticket). Impacket tools including getST.py, getTGT.py, and ticketer.py are commonly used to programmatically interact with ccache files. Kekeo can convert ccache files to Windows kirbi format for reuse on Windows systems, enabling cross-platform lateral movement. Real-world usage includes APT groups operating in Active Directory environments with Linux-integrated systems.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.005 Ccache Files
Canonical reference
https://attack.mitre.org/techniques/T1558/005/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
let LegitKerbProcesses = dynamic(["kinit", "klist", "kdestroy", "kgetcred", "sssd", "krb5kdc", "kadmind", "sshd", "login", "su", "sudo", "gdm", "lightdm", "pamtester", "pamtest"]);
let ImpacketKerbTools = dynamic(["getST.py", "getTGT.py", "ticketer.py", "getNTHash.py", "rbcd.py", "getServiceTicket.py", "getPac.py", "getUserSPNs.py"]);
let ExfilCommands = dynamic(["cp", "mv", "cat", "base64", "xxd", "tar", "scp", "rsync", "nc", "ncat", "curl", "wget", "dd"]);
// Branch 1: Unexpected processes accessing ccache files on disk
let SuspiciousCcacheFileAccess = DeviceFileEvents
    | where Timestamp > ago(24h)
    | where (FolderPath startswith "/tmp/" and FileName matches regex @"^krb5cc_[0-9]+$")
          or FileName =~ "krb5.ccache"
          or (FolderPath contains "/krb5" and FileName endswith ".ccache")
    | where InitiatingProcessFileName !in~ (LegitKerbProcesses)
    | project Timestamp, DeviceName, AccountName,
              AccessedPath = strcat(FolderPath, "/", FileName),
              ActionType,
              TriggerProcess = InitiatingProcessFileName,
              TriggerCommandLine = InitiatingProcessCommandLine,
              ParentProcess = InitiatingProcessParentFileName,
              DetectionType = "UnexpectedCcacheFileAccess";
// Branch 2: Impacket Kerberos tools or Python interacting with ccache ticket data
let ImpacketOrPythonKerb = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where ProcessCommandLine has_any (ImpacketKerbTools)
          or (FileName in~ ("python", "python3", "python2")
              and ProcessCommandLine has_any ("CCache", "ccache", "krb5cc", "KRB5CCNAME", ".ccache"))
    | project Timestamp, DeviceName, AccountName,
              AccessedPath = "",
              ActionType = "ProcessExecution",
              TriggerProcess = FileName,
              TriggerCommandLine = ProcessCommandLine,
              ParentProcess = InitiatingProcessFileName,
              DetectionType = "ImpacketKerberosTool";
// Branch 3: Shell utilities referencing ccache file paths (staging or exfiltration)
let ShellCcacheAccess = DeviceProcessEvents
    | where Timestamp > ago(24h)
    | where FileName in~ (ExfilCommands)
    | where ProcessCommandLine matches regex @"krb5cc_[0-9]+"
          or ProcessCommandLine has "krb5.ccache"
    | project Timestamp, DeviceName, AccountName,
              AccessedPath = "",
              ActionType = "ProcessExecution",
              TriggerProcess = FileName,
              TriggerCommandLine = ProcessCommandLine,
              ParentProcess = InitiatingProcessFileName,
              DetectionType = "CcacheFileCopyOrExfiltration";
union SuspiciousCcacheFileAccess, ImpacketOrPythonKerb, ShellCcacheAccess
| sort by Timestamp desc
high severity medium confidence

Detects ccache file theft on Linux and macOS endpoints monitored by Microsoft Defender for Endpoint (MDE). Three detection branches run in parallel: (1) non-Kerberos processes accessing /tmp/krb5cc_* files or .ccache files via DeviceFileEvents, (2) Impacket Kerberos tools or Python scripts interacting with ccache data via DeviceProcessEvents, and (3) shell utilities (cp, base64, nc, scp, curl) directly referencing ccache file paths indicating staging or exfiltration. Branches are unioned into a single result for analyst triage with a DetectionType field distinguishing the source.

Data Sources

File: File AccessProcess: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint (Linux agent)Microsoft Defender for Endpoint (macOS agent)

Required Tables

DeviceFileEventsDeviceProcessEvents

False Positives & Tuning

  • Backup agents (Bacula, Veeam for Linux, Amanda) that scan /tmp during filesystem-level backups will trigger Branch 1
  • Security scanning tools (Qualys, Tenable Nessus) performing file discovery across /tmp will generate false positives from Branch 1
  • Legitimate Python applications using the gssapi or krb5 Python libraries for service-to-service Kerberos authentication will trigger Branch 2 — common in Hadoop, Spark, and Kafka deployments
  • System administrators manually running klist followed by cp to clone ccache files for debugging Kerberos delegation or KDC trust issues
  • Automated CI/CD pipeline agents (Jenkins, GitLab Runner) that use Kerberos credentials for accessing internal NFS shares or Kerberized databases
Download portable Sigma rule (.yml)

Other platforms for T1558.005

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Discover and Copy Ccache File

    Expected signal: DeviceProcessEvents: process creation for find (/tmp/krb5cc_*), klist (-c /tmp/krb5cc_<uid>), and cp. DeviceFileEvents: FileCreated for /tmp/.svc_cache_bak with InitiatingProcessFileName=cp. Auditd (linux_audit): SYSCALL records for open/read on /tmp/krb5cc_<uid> with exe=/bin/cp, plus PATH records for both source and destination files. key=kerberos_ccache if auditd watch is configured.

  2. Test 2Base64 Encode Ccache for Exfiltration

    Expected signal: DeviceProcessEvents: process creation for base64 with ProcessCommandLine containing 'krb5cc_<uid>' and xxd with the same path. Auditd (linux_audit): SYSCALL open/read records on /tmp/krb5cc_<uid> with exe=/usr/bin/base64 and exe=/usr/bin/xxd. These processes will appear in linux_audit events alongside EXECVE records showing the full command.

  3. Test 3Use Impacket Python Library to Read Ccache Tickets

    Expected signal: DeviceProcessEvents: python3 process creation with ProcessCommandLine containing 'CCache', 'ccache', 'krb5cc_'. DeviceFileEvents: FileRead event on /tmp/krb5cc_<uid> with InitiatingProcessFileName=python3. Auditd (linux_audit): SYSCALL open record with exe=/usr/bin/python3 on the ccache path. EXECVE record showing full python3 -c invocation with ccache string patterns.

  4. Test 4Set KRB5CCNAME to Stolen Ticket and Authenticate

    Expected signal: DeviceProcessEvents: cp process with /tmp/krb5cc_<uid> in command line, klist process with -c /tmp/attacker_krb5cc argument. DeviceFileEvents: FileCreated for /tmp/attacker_krb5cc with InitiatingProcessFileName=cp. Auditd (linux_audit): SYSCALL records for cp (open/read on source, open/write/creat on destination) and klist (open/read on /tmp/attacker_krb5cc). The unusual ccache path /tmp/attacker_krb5cc is a behavioral anomaly.

Last updated: 2026-04-13 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1558.005 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden TicketT1558.002Silver TicketT1558.003KerberoastingT1558.004AS-REP Roasting

Related Techniques

T1558Steal or Forge Kerberos TicketsT1550.003Pass the TicketT1078Valid AccountsT1021.002SMB/Windows Admin SharesT1021.004SSHT1003OS Credential DumpingT1552.004Private KeysT1083File and Directory DiscoveryT1560Archive Collected DataT1041Exfiltration Over C2 Channel

Same Tactic: Credential Access

Popular Detections