T1558 IBM QRadar · QRadar

Detect Steal or Forge Kerberos Tickets in IBM QRadar

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket (T1550.003). In Active Directory environments, Kerberos is the primary authentication protocol. Adversaries exploit it through multiple sub-techniques: Kerberoasting (T1558.003) requests service tickets for accounts with SPNs using RC4 encryption for offline hash cracking; AS-REP Roasting (T1558.004) targets accounts with pre-authentication disabled to obtain crackable AS-REP responses; Golden Ticket attacks (T1558.001) use a stolen KRBTGT hash to forge TGTs granting unrestricted domain access; Silver Ticket attacks (T1558.002) forge service tickets using a service account hash for targeted service access; and Ccache file theft (T1558.005) targets Linux/macOS Kerberos credential cache files. Common offensive tools include Rubeus, Mimikatz (kerberos modules), Kekeo, and the Impacket suite (GetUserSPNs.py, GetNPUsers.py, ticketer.py). Detection leverages Windows Security Kerberos event IDs 4768, 4769, and 4771 for protocol-level anomalies such as RC4 encryption downgrade requests in AES-enforced environments, and process telemetry for offensive tool signatures.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Canonical reference
https://attack.mitre.org/techniques/T1558/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
-- Pattern 1: Kerberoasting — RC4 TGS requests
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS ClientIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  devicestring AS ServiceName,
  "Kerberoasting" AS AttackPattern,
  "Critical" AS Severity
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%4769%'
  AND devicestring NOT LIKE '%$'
  AND devicestring NOT IN ('krbtgt', 'kadmin/changepw')
  AND sourceip NOT IN ('127.0.0.1', '::1', '-')
  AND LONG(categoryname(highlevelcategory)) > 0
  AND UTF8(databytes) LIKE '%0x17%'
  AND starttime > (CURRENT_TIMESTAMP - 86400000)

UNION ALL

-- Pattern 2: AS-REP Roasting — Pre-auth disabled TGT
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS ClientIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  devicestring AS ServiceName,
  'AS-REP Roasting' AS AttackPattern,
  'High' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%4768%'
  AND UTF8(databytes) LIKE '%Pre-Authentication Type:%0%'
  AND (UTF8(databytes) LIKE '%0x17%' OR UTF8(databytes) LIKE '%0x18%')
  AND sourceip NOT IN ('127.0.0.1', '::1', '-')
  AND starttime > (CURRENT_TIMESTAMP - 86400000)

UNION ALL

-- Pattern 3: Kerberos attack tool process execution (Sysmon Event ID 1)
SELECT
  DATEFORMAT(starttime, 'YYYY-MM-dd HH:mm:ss') AS EventTime,
  logsourceid,
  LOGSOURCENAME(logsourceid) AS LogSource,
  sourceip AS ClientIP,
  username AS AccountName,
  QIDNAME(qid) AS EventName,
  UTF8(databytes) AS CommandLine,
  'Kerberos Attack Tool' AS AttackPattern,
  'Critical' AS Severity
FROM events
WHERE
  LOGSOURCETYPEID(logsourceid) = 12
  AND QIDNAME(qid) LIKE '%1%'
  AND (
    LOWER(UTF8(databytes)) LIKE '%rubeus%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberoast%'
    OR LOWER(UTF8(databytes)) LIKE '%asreproast%'
    OR LOWER(UTF8(databytes)) LIKE '%getuserspns%'
    OR LOWER(UTF8(databytes)) LIKE '%getnpusers%'
    OR LOWER(UTF8(databytes)) LIKE '%sekurlsa::tickets%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberos::golden%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberos::silver%'
    OR LOWER(UTF8(databytes)) LIKE '%kerberos::ptt%'
    OR LOWER(UTF8(databytes)) LIKE '%.kirbi%'
    OR LOWER(UTF8(databytes)) LIKE '%ticketer.py%'
    OR LOWER(UTF8(databytes)) LIKE '%tgtdeleg%'
  )
  AND starttime > (CURRENT_TIMESTAMP - 86400000)
ORDER BY EventTime DESC
critical severity medium confidence

Detects Steal or Forge Kerberos Tickets (T1558) via three AQL queries unified with UNION ALL: (1) Kerberoasting through RC4 encryption downgrade on TGS requests (EventID 4769), (2) AS-REP Roasting via pre-authentication disabled TGT requests (EventID 4768), and (3) Kerberos offensive tool execution detected through Sysmon process telemetry. Uses QRadar Windows Security log source type and databytes parsing for Kerberos-specific fields.

Data Sources

Windows Security Event Log via QRadar WinCollect or SyslogMicrosoft Windows Sysmon via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Legacy Windows clients (XP/2003 era) that only support RC4 will trigger RC4-based detections even in modern environments where they remain for compatibility
  • Service accounts with SPNs that run scheduled batch jobs may generate multiple 4769 events in short succession
  • Mixed-mode AD environments during RC4-to-AES migration phase will produce elevated baseline of RC4 TGS requests
  • Security scanning tools or AD health check utilities that enumerate SPNs
Download portable Sigma rule (.yml)

Other platforms for T1558

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Kerberoasting with Rubeus — RC4 TGS Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in Rubeus.exe and CommandLine containing 'kerberoast'. Windows Security Event ID 4769 on the domain controller for each SPN enumerated, with TicketEncryptionType=0x17 and TicketOptions=0x40810000. The requesting AccountName and source IpAddress will match the test machine. Multiple 4769 events in rapid succession from the same source IP is the key burst pattern.

  2. Test 2AS-REP Roasting with Rubeus — Pre-Auth Disabled Account Hash Capture

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in Rubeus.exe and CommandLine containing 'asreproast'. Windows Security Event ID 4768 on the domain controller for each targeted account, with PreAuthType=0 and TicketEncryptionType=0x17 or 0x18. Source IpAddress matches test machine.

  3. Test 3Kerberos Ticket Dump with Mimikatz

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in mimikatz.exe and CommandLine containing 'sekurlsa::tickets'. Sysmon Event ID 10 (Process Access): mimikatz.exe accessing lsass.exe with GrantedAccess 0x1010 or 0x1438. Sysmon Event ID 11 (File Create): multiple .kirbi files written to the working directory. Windows Defender Event ID 1116 may fire on AMSI or signature detection.

  4. Test 4AS-REP Roasting with Impacket GetNPUsers.py (Linux/Cross-Platform)

    Expected signal: Windows Security Event ID 4768 on the targeted domain controller for each AS-REP Roastable account, with PreAuthType=0 and source IpAddress matching the Linux attacker machine. On the DC Sysmon would not capture this (it's a network event), so primary telemetry is the Security log. DNS/LDAP queries to the DC LDAP port (389/636) from the source IP visible in network logs.

  5. Test 5Kerberos Ticket Enumeration with Built-in klist

    Expected signal: Sysmon Event ID 1: Process Create with Image = C:\Windows\System32\klist.exe. Security Event ID 4688 (if command line auditing enabled) with ProcessName = klist.exe. No 4769 events are generated — klist reads from local cache only without contacting the KDC.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1558 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1558.001Golden TicketT1558.002Silver TicketT1558.003KerberoastingT1558.004AS-REP RoastingT1558.005Ccache FilesT1550.003Pass the TicketT1003OS Credential DumpingT1003.001LSASS MemoryT1078Valid AccountsT1021.002SMB/Windows Admin Shares

Same Tactic: Credential Access

Popular Detections