Steal or Forge Kerberos Tickets (T1558) is a MITRE ATT&CK technique in the Credential Access tactic. SOC analysts detect it by monitoring for SIEM, XDR events, behavioral anomalies, and the specific indicators described in this detection guide. Practice detection in SOCSimulator Operations.
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket attacks. Kerberos is an authentication protocol widely used in Windows domain environments. The protocol uses tickets to authenticate users to services without requiring repeated password entry. Attackers can steal existing tickets from memory, forge new tickets using domain secrets (Golden Ticket and Silver Ticket attacks), or request service tickets for offline brute forcing (Kerberoasting). A Golden Ticket attack uses the Kerberos service account (KRBTGT) hash to forge unlimited TGTs for any account in the domain, providing persistent, unrevocable access until the KRBTGT password is reset twice. These attacks can persist even after account password changes because the forged tickets use the compromised KRBTGT key.
“Steal or Forge Kerberos Tickets is documented as technique T1558 in the MITRE ATT&CK knowledge base under the Credential Access tactic. Detection requires visibility into SIEM, XDR telemetry.”
The following detection strategies help SOC analysts identify Steal or Forge Kerberos Tickets activity. These methods apply across SIEM, XDR environments and can be implemented as detection rules, correlation queries, or behavioral analytics in your security platform.
Detect Golden Ticket attacks by monitoring for Kerberos TGTs with unusually long validity periods, inconsistent user SID values, or attributes that do not match expected domain configurations.
Alert on Kerberoasting activity by monitoring for large volumes of Kerberos service ticket requests using RC4 encryption from single sources, particularly from workstations that would not normally request many service tickets.
Monitor for Pass the Ticket activity by correlating Kerberos ticket usage with the hosts where tickets were originally issued, flagging tickets used from unexpected source machines.
Detect AS-REP Roasting by monitoring for Kerberos pre-authentication failure events for accounts that do not normally require pre-authentication, followed by offline hash cracking attempts.
Implement KRBTGT account monitoring to detect unauthorized access to domain controllers or attempts to extract the KRBTGT hash through DCSync or physical access to domain controller NTDS.dit.
These realistic alert examples show what Steal or Forge Kerberos Tickets looks like in your security tools. Use them to tune detection rules and train analysts to recognize true positives versus false positives in live environments.
Authentication event detected for account "Administrator" with a Kerberos TGT valid for 10 years (87600 hours), compared to the domain default of 10 hours. The ticket also contains a non-standard SID value not present in Active Directory. These attributes are definitive indicators of a forged Golden Ticket created using the compromised KRBTGT account hash.
Service ticket for CIFS/FILESERVER-01 was used from workstation WS-TEMP-009, but the corresponding TGT was issued to WS-EXEC-002. Kerberos tickets should be used from the same host where they were issued. This anomaly indicates a Pass the Ticket attack where a ticket was stolen from one machine and replayed from a different machine to access file server resources.
Single source account jdoe requested 89 Kerberos service tickets for various service principal names within 4 minutes. All tickets were requested with RC4-HMAC encryption rather than the stronger AES encryption configured as the domain default. This is a hallmark of Kerberoasting, collecting service tickets for offline dictionary-based password cracking.
SOCSimulator provides hands-on training rooms where you investigate real-world attack scenarios including Steal or Forge Kerberos Tickets. Build detection skills with zero consequences — free forever.
A brute force attack systematically tries large numbers of username and password combinations, or decryption keys, until…
Read more GlossaryMulti-Factor Authentication (MFA) requires users to provide two or more independent verification factors (something you …
Read more GlossaryLateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Read more GlossarySecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Read more Career PathTier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathIncident Responders lead the technical response when confirmed breaches happen. You coordinate containment, run forensic…
Read more ToolThe SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolThe XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more ComparisonSOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator is the better tool for dedicated SOC analyst preparation. TryHackMe is the better tool for broad cybersecur…
Read more PlaybookWhen SIEM detects an unusual volume of Kerberos TGS ticket requests (Event ID 4769) with RC4 encryption from a single ac…
Read more GlossaryComplete glossary of Security Operations Center terminology for aspiring SOC analysts.
Read moreWe use cookies to improve your experience and measure usage. Learn more