T1558 Microsoft Sentinel · KQL

Detect Steal or Forge Kerberos Tickets in Microsoft Sentinel

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket (T1550.003). In Active Directory environments, Kerberos is the primary authentication protocol. Adversaries exploit it through multiple sub-techniques: Kerberoasting (T1558.003) requests service tickets for accounts with SPNs using RC4 encryption for offline hash cracking; AS-REP Roasting (T1558.004) targets accounts with pre-authentication disabled to obtain crackable AS-REP responses; Golden Ticket attacks (T1558.001) use a stolen KRBTGT hash to forge TGTs granting unrestricted domain access; Silver Ticket attacks (T1558.002) forge service tickets using a service account hash for targeted service access; and Ccache file theft (T1558.005) targets Linux/macOS Kerberos credential cache files. Common offensive tools include Rubeus, Mimikatz (kerberos modules), Kekeo, and the Impacket suite (GetUserSPNs.py, GetNPUsers.py, ticketer.py). Detection leverages Windows Security Kerberos event IDs 4768, 4769, and 4771 for protocol-level anomalies such as RC4 encryption downgrade requests in AES-enforced environments, and process telemetry for offensive tool signatures.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Canonical reference
https://attack.mitre.org/techniques/T1558/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// T1558: Steal or Forge Kerberos Tickets — Multi-pattern detection
// Covers Kerberoasting (4769+RC4), AS-REP Roasting (4768+PreAuth=0),
// Golden Ticket indicators (RC4 TGT), and attack tool process signatures
let LookbackWindow = 24h;

// Pattern 1: Kerberoasting — RC4 TGS requests via EventID 4769
// In AES-enforced environments, any 0x17 service ticket request is high-fidelity
let Kerberoasting = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4769
| where TicketEncryptionType in ("0x17", "0x18")  // RC4-HMAC and RC4-HMAC-EXP
| where ServiceName !endswith "$"                   // Exclude machine account SPNs
| where ServiceName !in~ ("krbtgt", "kadmin/changepw")
| where IpAddress !in ("::1", "127.0.0.1", "-")
| where Status == "0x0"                              // Successful ticket grants only
| summarize
    RequestCount = count(),
    UniqueServices = dcount(ServiceName),
    Services = make_set(ServiceName, 20),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by AccountName, IpAddress, Computer
| extend AttackPattern = "Kerberoasting"
| extend RiskLevel = iff(UniqueServices >= 3 or RequestCount >= 5, "Critical", "High");

// Pattern 2: AS-REP Roasting — TGT for account with pre-auth disabled (EventID 4768)
let ASREPRoasting = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4768
| where PreAuthType == "0"                           // Pre-authentication not required
| where TicketEncryptionType in ("0x17", "0x18")    // Attacker requests RC4 for offline cracking
| where Status == "0x0"
| where IpAddress !in ("::1", "127.0.0.1", "-")
| project TimeGenerated, AccountName, IpAddress, Computer, TicketEncryptionType, PreAuthType
| extend AttackPattern = "AS-REP Roasting"
| extend RiskLevel = "High";

// Pattern 3: Golden Ticket indicator — RC4 TGT request (EventID 4768)
// Legitimate AES-only domains should not produce 0x17 TGT events
let GoldenTicketIndicators = SecurityEvent
| where TimeGenerated > ago(LookbackWindow)
| where EventID == 4768
| where TicketEncryptionType in ("0x17", "0x18")    // RC4 TGT is abnormal in AES-enforced domains
| where IpAddress !in ("::1", "127.0.0.1", "-")
| project TimeGenerated, AccountName, IpAddress, Computer, TicketEncryptionType, Status
| extend AttackPattern = "Potential Golden Ticket (RC4 TGT)"
| extend RiskLevel = "Critical";

// Pattern 4: Kerberos attack tool detection via process command line telemetry
let KerberosTools = DeviceProcessEvents
| where Timestamp > ago(LookbackWindow)
| where ProcessCommandLine has_any (
    "Rubeus", "kerberoast", "asreproast", "tgtdeleg", "asktgt", "asktgs",
    "harvest", "monitor", "s4u",
    "sekurlsa::tickets", "kerberos::golden", "kerberos::silver",
    "kerberos::ptt", "kerberos::list", "kerberos::purge", "kerberos::tgt",
    "GetUserSPNs", "GetNPUsers", "ticketer.py"
  )
  or FileName in~ ("Rubeus.exe", "Kekeo.exe")
  or ProcessCommandLine has ".kirbi"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine,
         InitiatingProcessFileName, InitiatingProcessCommandLine
| extend AttackPattern = "Kerberos Attack Tool"
| extend RiskLevel = "Critical";

// Unified output across all patterns
union
    (Kerberoasting
     | project TimeGenerated = LastSeen, Computer, AccountName, IpAddress,
         AttackPattern, RiskLevel,
         Details = strcat("RequestCount=", RequestCount, " UniqueServices=", UniqueServices, " SPNs=", tostring(Services))),
    (ASREPRoasting
     | project TimeGenerated, Computer, AccountName, IpAddress,
         AttackPattern, RiskLevel,
         Details = strcat("EncType=", TicketEncryptionType, " PreAuth=", PreAuthType)),
    (GoldenTicketIndicators
     | project TimeGenerated, Computer, AccountName, IpAddress,
         AttackPattern, RiskLevel,
         Details = strcat("EncType=", TicketEncryptionType, " Status=", Status)),
    (KerberosTools
     | project TimeGenerated = Timestamp, Computer = DeviceName, AccountName,
         IpAddress = "N/A (host-based)", AttackPattern, RiskLevel,
         Details = ProcessCommandLine)
| sort by TimeGenerated desc
high severity high confidence

Multi-pattern KQL detection covering all major T1558 sub-techniques using Microsoft Sentinel SecurityEvent and Defender for Endpoint DeviceProcessEvents tables. Pattern 1 (Kerberoasting) detects EventID 4769 TGS requests with RC4 encryption type 0x17, which is the primary Kerberoasting indicator in modern AES-enforced domains. Summarization groups requests per source to surface burst-scanning behavior and identifies multi-SPN enumeration. Pattern 2 (AS-REP Roasting) detects EventID 4768 TGT requests for accounts with PreAuthType=0, indicating pre-authentication is disabled. Pattern 3 (Golden Ticket) flags RC4 TGT requests as anomalous in AES-only domains, which may indicate a forged Golden Ticket being presented. Pattern 4 detects known offensive tool signatures (Rubeus, Mimikatz kerberos modules, Impacket GetUserSPNs/GetNPUsers/ticketer.py, and .kirbi ticket files) via process command line matching in DeviceProcessEvents. All patterns are unioned with RiskLevel tagging for analyst prioritization.

Data Sources

Authentication: AuthenticationActive Directory: Active Directory Credential RequestProcess: Process CreationMicrosoft Sentinel SecurityEventMicrosoft Defender for Endpoint

Required Tables

SecurityEventDeviceProcessEvents

False Positives & Tuning

  • Legacy applications that still negotiate RC4 for Kerberos due to compatibility requirements — older Java-based apps (JDK < 17 defaults to AES but may fall back), older Linux Kerberos clients with krb5 library versions that prefer RC4, and applications where 'arcfour-hmac' is listed in krb5.conf etypes
  • IT inventory and vulnerability scanning tools such as Tenable Nessus, Qualys, and CyberArk that enumerate service principal names as part of Active Directory discovery modules
  • Backup and monitoring software (Veeam Backup, CommVault, SolarWinds) using service accounts with registered SPNs running on older server OS versions where RC4 is the negotiated cipher
  • Domain environments in mixed-mode with Windows Server 2008 R2 domain controllers, which still advertise RC4 support by default and can cause clients to negotiate 0x17 during normal Kerberos exchanges
Download portable Sigma rule (.yml)

Other platforms for T1558

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 5 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Kerberoasting with Rubeus — RC4 TGS Enumeration

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in Rubeus.exe and CommandLine containing 'kerberoast'. Windows Security Event ID 4769 on the domain controller for each SPN enumerated, with TicketEncryptionType=0x17 and TicketOptions=0x40810000. The requesting AccountName and source IpAddress will match the test machine. Multiple 4769 events in rapid succession from the same source IP is the key burst pattern.

  2. Test 2AS-REP Roasting with Rubeus — Pre-Auth Disabled Account Hash Capture

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in Rubeus.exe and CommandLine containing 'asreproast'. Windows Security Event ID 4768 on the domain controller for each targeted account, with PreAuthType=0 and TicketEncryptionType=0x17 or 0x18. Source IpAddress matches test machine.

  3. Test 3Kerberos Ticket Dump with Mimikatz

    Expected signal: Sysmon Event ID 1: Process Create with Image ending in mimikatz.exe and CommandLine containing 'sekurlsa::tickets'. Sysmon Event ID 10 (Process Access): mimikatz.exe accessing lsass.exe with GrantedAccess 0x1010 or 0x1438. Sysmon Event ID 11 (File Create): multiple .kirbi files written to the working directory. Windows Defender Event ID 1116 may fire on AMSI or signature detection.

  4. Test 4AS-REP Roasting with Impacket GetNPUsers.py (Linux/Cross-Platform)

    Expected signal: Windows Security Event ID 4768 on the targeted domain controller for each AS-REP Roastable account, with PreAuthType=0 and source IpAddress matching the Linux attacker machine. On the DC Sysmon would not capture this (it's a network event), so primary telemetry is the Security log. DNS/LDAP queries to the DC LDAP port (389/636) from the source IP visible in network logs.

  5. Test 5Kerberos Ticket Enumeration with Built-in klist

    Expected signal: Sysmon Event ID 1: Process Create with Image = C:\Windows\System32\klist.exe. Security Event ID 4688 (if command line auditing enabled) with ProcessName = klist.exe. No 4769 events are generated — klist reads from local cache only without contacting the KDC.

Last updated: 2026-04-13 Research depth: deep
References (13)

Unlock Pro Content

Get the full detection package for T1558 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (5)

Related Techniques

T1558.001Golden TicketT1558.002Silver TicketT1558.003KerberoastingT1558.004AS-REP RoastingT1558.005Ccache FilesT1550.003Pass the TicketT1003OS Credential DumpingT1003.001LSASS MemoryT1078Valid AccountsT1021.002SMB/Windows Admin Shares

Same Tactic: Credential Access

Popular Detections