Skip to content

Hide Navigation Hide TOC

Request A Single Ticket via PowerShell (a861d835-af37-4930-bcd6-5b178bfb54df)

utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Cluster A Galaxy A Cluster B Galaxy B Level
Request A Single Ticket via PowerShell (a861d835-af37-4930-bcd6-5b178bfb54df) Sigma-Rules Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 1
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2