Skip to content

DET0522 Detect Kerberos Ticket Theft or Forgery (T1558)

Item Value
ID DET0522
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1558 (Steal or Forge Kerberos Tickets)

Analytics

Windows

AN1443

Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4672, 4634
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
TicketLifetimeThreshold Threshold for Kerberos TGT lifetimes deviating from domain defaults.
EncryptionTypes Monitor for downgraded encryption types (e.g., RC4) in Kerberos tickets.
ProcessAllowlist List of expected processes accessing LSASS; deviations may be suspicious.

Linux

AN1444

Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey
Active Directory Credential Request (DC0084) linux:syslog Unusual kinit or klist activity
Mutable Elements
Field Description
SecretsAccessThreshold Alert threshold for frequency of access to Kerberos secrets files.
UnusualServiceAccounts Baseline accounts normally performing Kerberos requests; anomalies flagged.

macOS

AN1445

Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) macos:unifiedlog Unusual Kerberos TGS-REQ without TGT or anomalous ticket lifetime
Mutable Elements
Field Description
TicketRequestPatterns Expected sequence of TGT followed by TGS requests; deviations may indicate forgery.
TicketLifetime Expected ticket lifetimes; anomalies may indicate Golden or Silver Tickets.