Skip to content

DC0084 Active Directory Credential Request

Item Value
ID DC0084
Version 2.0
Created 20 October 2021
Last Modified 12 November 2025

Log Sources

Name Channel
linux:syslog Unusual kinit or klist activity
WinEventLog:Kerberos Kerberos TGS-REQ anomalies without KDC validation (Silver Ticket behavior)
WinEventLog:Security EventCode=4768
WinEventLog:Security EventCode=4769
WinEventLog:Security EventCode=4929

Detection Strategy

ID Name Technique Detected
DET0113 Detect AS-REP Roasting Attempts (T1558.004) T1558.004
DET0144 Detect Forged Kerberos Golden Tickets (T1558.001) T1558.001
DET0241 Detect Forged Kerberos Silver Tickets (T1558.002) T1558.002
DET0157 Detect Kerberoasting Attempts (T1558.003) T1558.003
DET0522 Detect Kerberos Ticket Theft or Forgery (T1558) T1558
DET0276 Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse T1207
DET0240 Detection Strategy for Steal or Forge Authentication Certificates T1649
DET0409 Detection Strategy for T1550.002 - Pass the Hash (Windows) T1550.002
DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows) T1550.003