1. Home
  2. Data Components
  3. Active Directory Credential Request

Active Directory Credential Request

Requests for authentication credentials via Kerberos or other methods like NTLM and LDAP queries. Examples:

  • Kerberos TGT and Service Tickets (Event IDs 4768, 4769)
  • NTLM Authentication Events
  • LDAP Bind Requests.
ID: DC0084
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
linux:syslog Unusual kinit or klist activity
WinEventLog:Kerberos Kerberos TGS-REQ anomalies without KDC validation (Silver Ticket behavior)
WinEventLog:Security EventCode=4768
WinEventLog:Security EventCode=4769
WinEventLog:Security EventCode=4929

Detection Strategy

ID Name Technique Detected
DET0113 Detect AS-REP Roasting Attempts (T1558.004) T1558.004
DET0144 Detect Forged Kerberos Golden Tickets (T1558.001) T1558.001
DET0241 Detect Forged Kerberos Silver Tickets (T1558.002) T1558.002
DET0157 Detect Kerberoasting Attempts (T1558.003) T1558.003
DET0522 Detect Kerberos Ticket Theft or Forgery (T1558) T1558
DET0276 Detection Strategy for Rogue Domain Controller (DCShadow) Registration and Replication Abuse T1207
DET0240 Detection Strategy for Steal or Forge Authentication Certificates T1649
DET0409 Detection Strategy for T1550.002 - Pass the Hash (Windows) T1550.002
DET0352 Detection Strategy for T1550.003 - Pass the Ticket (Windows) T1550.003