Steal or Forge Kerberos Tickets (T1558)

View on ATT&CK

In Playbook

Technique & Subtechniques

Associated Tactics

  • Credential Access

Credential Access (TA0006)

The adversary is trying to steal account names and passwords. Credential Access consists of techniques for stealing credentials like account names and passwords. Techniques used to get credentials include keylogging or credential dumping. Using legitimate credentials can give adversaries access to systems, make them harder to detect, and provide the opportunity to create more accounts to help achieve their goals.

View on ATT&CK

Procedure Examples

Description Source(s)
Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017. CERT-EU Golden Ticket Protection
Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018. Microsoft Detecting Kerberoasting Feb 2018
French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019. Medium Detecting Attempts to Steal Passwords from Memory
Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020. Stealthbits Detect PtT 2019
Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018. AdSecurity Cracking Kerberos Dec 2015
Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015. ADSecurity Detecting Forged Tickets
Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020. Microsoft Kerberos Golden Ticket
Microsoft. (2021, March 3). klist. Retrieved October 14, 2021. Microsoft Klist
Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020. ADSecurity Kerberos Ring Decoder