title: Steal or Forge Kerberos Tickets (T1558)
id: df00tech-t1558
status: experimental
description: "Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket (T1550.003). In Active Directory environments, Kerberos is the primary authentication protocol. Adversaries exploit it through multiple sub-techniques: Kerberoasting (T1558.003) requests service tickets for accounts with SPNs using RC4 encryption for offline hash cracking; AS-REP Roasting (T1558.004) targets accounts with pre-authentication disabled to obtain crackable AS-REP responses; Golden Ticket attacks (T1558.001) use a stolen KRBTGT hash to forge TGTs granting unrestricted domain access; Silver Ticket attacks (T1558.002) forge service tickets using a service account hash for targeted service access; and Ccache file theft (T1558.005) targets Linux/macOS Kerberos credential cache files. Common offensive tools include Rubeus, Mimikatz (kerberos modules), Kekeo, and the Impacket suite (GetUserSPNs.py, GetNPUsers.py, ticketer.py). Detection leverages Windows Security Kerberos event IDs 4768, 4769, and 4771 for protocol-level anomalies such as RC4 encryption downgrade requests in AES-enforced environments, and process telemetry for offensive tool signatures."
references:
  - https://attack.mitre.org/techniques/T1558/
  - https://df00tech.com/detections/T1558
author: df00tech
date: 2026/04/13
tags:
  - attack.t1558
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - "Legacy applications that still negotiate RC4 for Kerberos due to compatibility requirements — older Java-based apps (JDK < 17 defaults to AES but may fall back), older Linux Kerberos clients with krb5 library versions that prefer RC4, and applications where 'arcfour-hmac' is listed in krb5.conf etypes"
  - "IT inventory and vulnerability scanning tools such as Tenable Nessus, Qualys, and CyberArk that enumerate service principal names as part of Active Directory discovery modules"
  - "Backup and monitoring software (Veeam Backup, CommVault, SolarWinds) using service accounts with registered SPNs running on older server OS versions where RC4 is the negotiated cipher"
  - "Domain environments in mixed-mode with Windows Server 2008 R2 domain controllers, which still advertise RC4 support by default and can cause clients to negotiate 0x17 during normal Kerberos exchanges"
level: high