Skip to content

Hide Navigation Hide TOC

Suspicious Kerberos Ticket Request via CLI (caa9a802-8bd8-4b9e-a5cd-4d6221670219)

Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.

Cluster A Galaxy A Cluster B Galaxy B Level
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Suspicious Kerberos Ticket Request via CLI (caa9a802-8bd8-4b9e-a5cd-4d6221670219) Sigma-Rules 1
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 2