Skip to content

DET0241 Detect Forged Kerberos Silver Tickets (T1558.002)

Item Value
ID DET0241
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1558.002 (Silver Ticket)

Analytics

Windows

AN0675

Detects forged Kerberos Silver Tickets by identifying anomalous Kerberos service ticket activity such as malformed fields in logon events, TGS requests without interaction with the KDC, and access attempts using service accounts outside expected hosts/resources. Also monitors suspicious processes accessing LSASS memory for credential dumping.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672, 4634
Active Directory Credential Request (DC0084) WinEventLog:Kerberos Kerberos TGS-REQ anomalies without KDC validation (Silver Ticket behavior)
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
ServiceAccountScope Expected mapping of service accounts to specific resources; deviations may indicate Silver Ticket use.
TicketValidationBaseline Expected TGS issuance patterns including KDC validation; anomalies may signal forged tickets.
ProcessAllowlist Known processes that legitimately interact with LSASS; others may indicate dumping attempts.
TimeWindow Correlate Kerberos requests within a tunable timeframe to reduce false positives.