Detects forged Kerberos Silver Tickets by identifying anomalous Kerberos service ticket activity such as malformed fields in logon events, TGS requests without interaction with the KDC, and access attempts using service accounts outside expected hosts/resources. Also monitors suspicious processes accessing LSASS memory for credential dumping.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4624, 4634, 4672, 4769 |
| Active Directory Credential Request (DC0084) | WinEventLog:Kerberos | Kerberos TGS-REQ anomalies without KDC validation (Silver Ticket behavior) |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Field | Description |
|---|---|
| ServiceAccountScope | Expected mapping of service accounts to specific resources; deviations may indicate Silver Ticket use. |
| TicketValidationBaseline | Expected TGS issuance patterns including KDC validation; anomalies may signal forged tickets. |
| ProcessAllowlist | Known processes that legitimately interact with LSASS; others may indicate dumping attempts. |
| TimeWindow | Correlate Kerberos requests within a tunable timeframe to reduce false positives. |