Techniques
Sample rules
Suspicious Kerberos Ticket Request via CLI
- source: sigma
- technicques:
- t1558
- t1558.003
Description
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.
Detection logic
condition: all of selection_*
selection_cli:
CommandLine|contains|all:
- System.IdentityModel.Tokens.KerberosRequestorSecurityToken
- .GetRequest()
selection_img:
- Image|endswith:
- \powershell.exe
- \pwsh.exe
- OriginalFileName:
- powershell.exe
- pwsh.dll