Detect Steal or Forge Kerberos Tickets in Google Chronicle
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket (T1550.003). In Active Directory environments, Kerberos is the primary authentication protocol. Adversaries exploit it through multiple sub-techniques: Kerberoasting (T1558.003) requests service tickets for accounts with SPNs using RC4 encryption for offline hash cracking; AS-REP Roasting (T1558.004) targets accounts with pre-authentication disabled to obtain crackable AS-REP responses; Golden Ticket attacks (T1558.001) use a stolen KRBTGT hash to forge TGTs granting unrestricted domain access; Silver Ticket attacks (T1558.002) forge service tickets using a service account hash for targeted service access; and Ccache file theft (T1558.005) targets Linux/macOS Kerberos credential cache files. Common offensive tools include Rubeus, Mimikatz (kerberos modules), Kekeo, and the Impacket suite (GetUserSPNs.py, GetNPUsers.py, ticketer.py). Detection leverages Windows Security Kerberos event IDs 4768, 4769, and 4771 for protocol-level anomalies such as RC4 encryption downgrade requests in AES-enforced environments, and process telemetry for offensive tool signatures.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1558 Steal or Forge Kerberos Tickets
- Canonical reference
- https://attack.mitre.org/techniques/T1558/
YARA-L Detection Query
rule t1558_steal_forge_kerberos_tickets {
meta:
author = "Detection Engineering"
description = "Detects T1558 Steal or Forge Kerberos Tickets: Kerberoasting, AS-REP Roasting, Golden Ticket, and Kerberos attack tool execution"
mitre_attack_tactic = "Credential Access"
mitre_attack_technique = "T1558"
mitre_attack_sub_techniques = "T1558.001, T1558.002, T1558.003, T1558.004"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://attack.mitre.org/techniques/T1558/"
created = "2026-01-01"
version = "1.0"
events:
(
// Pattern 1 & 2 & 3: Kerberos protocol anomalies (4768/4769)
$e.metadata.event_type = "USER_RESOURCE_ACCESS"
and $e.metadata.product_event_type in ("4768", "4769")
and (
// Kerberoasting: RC4 TGS request for service account
(
$e.metadata.product_event_type = "4769"
and $e.target.resource.attribute.labels["ticket_encryption_type"] in ("0x17", "0x18")
and not re.regex($e.target.resource.name, `.*\$$`)
and not $e.target.resource.name in ("krbtgt", "kadmin/changepw")
and not $e.principal.ip in ("::1", "127.0.0.1", "-")
)
or
// AS-REP Roasting: Pre-auth disabled TGT
(
$e.metadata.product_event_type = "4768"
and $e.target.resource.attribute.labels["pre_authentication_type"] = "0"
and $e.target.resource.attribute.labels["ticket_encryption_type"] in ("0x17", "0x18")
)
or
// Golden Ticket indicator: RC4 TGT in AES-enforced domain
(
$e.metadata.product_event_type = "4768"
and $e.target.resource.attribute.labels["ticket_encryption_type"] in ("0x17", "0x18")
and not $e.principal.ip in ("::1", "127.0.0.1", "-")
)
)
)
or
(
// Pattern 4: Kerberos attack tool process execution
$e.metadata.event_type = "PROCESS_LAUNCH"
and (
re.regex($e.target.process.command_line, `(?i)(rubeus|kerberoast|asreproast|getuserspns|getnpusers|sekurlsa::tickets|kerberos::golden|kerberos::silver|kerberos::ptt|\.kirbi|ticketer\.py|tgtdeleg|kekeo)`)
or $e.target.process.file.full_path matches "/(?i)(rubeus\.exe|kekeo\.exe)$/"
)
)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting T1558 Steal or Forge Kerberos Tickets using UDM normalized event fields. Covers Kerberoasting (4769 RC4 TGS), AS-REP Roasting (4768 pre-auth disabled), Golden Ticket indicators (RC4 TGT), and Kerberos offensive tool process execution. Uses UDM USER_RESOURCE_ACCESS and PROCESS_LAUNCH event types with product_event_type matching Windows Security EventIDs and ECS-aligned process fields.
Data Sources
Required Tables
False Positives & Tuning
- Organizations with AD mixed-mode environments still supporting legacy RC4 encryption will see elevated 4769 RC4 events from legitimate clients
- IT automation tools using service accounts with SPNs for scheduled tasks may generate Kerberoasting-like patterns
- Domain admin activity during AD migrations or security assessments that involve SPN enumeration
- Authorized penetration tests — no suppression by default, correlate with approved test windows
Other platforms for T1558
Testing Methodology
Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Kerberoasting with Rubeus — RC4 TGS Enumeration
Expected signal: Sysmon Event ID 1: Process Create with Image ending in Rubeus.exe and CommandLine containing 'kerberoast'. Windows Security Event ID 4769 on the domain controller for each SPN enumerated, with TicketEncryptionType=0x17 and TicketOptions=0x40810000. The requesting AccountName and source IpAddress will match the test machine. Multiple 4769 events in rapid succession from the same source IP is the key burst pattern.
- Test 2AS-REP Roasting with Rubeus — Pre-Auth Disabled Account Hash Capture
Expected signal: Sysmon Event ID 1: Process Create with Image ending in Rubeus.exe and CommandLine containing 'asreproast'. Windows Security Event ID 4768 on the domain controller for each targeted account, with PreAuthType=0 and TicketEncryptionType=0x17 or 0x18. Source IpAddress matches test machine.
- Test 3Kerberos Ticket Dump with Mimikatz
Expected signal: Sysmon Event ID 1: Process Create with Image ending in mimikatz.exe and CommandLine containing 'sekurlsa::tickets'. Sysmon Event ID 10 (Process Access): mimikatz.exe accessing lsass.exe with GrantedAccess 0x1010 or 0x1438. Sysmon Event ID 11 (File Create): multiple .kirbi files written to the working directory. Windows Defender Event ID 1116 may fire on AMSI or signature detection.
- Test 4AS-REP Roasting with Impacket GetNPUsers.py (Linux/Cross-Platform)
Expected signal: Windows Security Event ID 4768 on the targeted domain controller for each AS-REP Roastable account, with PreAuthType=0 and source IpAddress matching the Linux attacker machine. On the DC Sysmon would not capture this (it's a network event), so primary telemetry is the Security log. DNS/LDAP queries to the DC LDAP port (389/636) from the source IP visible in network logs.
- Test 5Kerberos Ticket Enumeration with Built-in klist
Expected signal: Sysmon Event ID 1: Process Create with Image = C:\Windows\System32\klist.exe. Security Event ID 4688 (if command line auditing enabled) with ProcessName = klist.exe. No 4769 events are generated — klist reads from local cache only without contacting the KDC.
References (13)
- https://attack.mitre.org/techniques/T1558/
- https://adsecurity.org/?p=1515
- https://adsecurity.org/?p=2293
- https://adsecurity.org/?p=227
- https://blog.stealthbits.com/detect-pass-the-ticket-attacks
- https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
- https://cert.europa.eu/static/WhitePapers/UPDATED%20-%20CERT-EU_Security_Whitepaper_2014-007_Kerberos_Golden_Ticket_Protection_v1_4.pdf
- https://docs.microsoft.com/windows-server/administration/windows-commands/klist
- https://github.com/GhostPack/Rubeus
- https://github.com/SecureAuthCorp/impacket
- https://medium.com/threatpunter/detecting-attempts-to-steal-passwords-from-memory-558f16dce4ea
- https://learn.microsoft.com/en-us/defender-endpoint/advanced-hunting-deviceprocessevents-table
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1558/T1558.md
Unlock Pro Content
Get the full detection package for T1558 including response playbook, investigation guide, and atomic red team tests.