1. Home
  2. Detection Strategies
  3. Detect Kerberos Ticket Theft or Forgery (T1558)

Detect Kerberos Ticket Theft or Forgery (T1558)

Technique Detected:  Steal or Forge Kerberos Tickets | T1558

ID: DET0522
Domains: Enterprise
Analytics: AN1443, AN1444, AN1445
Version: 1.0
Created: 21 October 2025
Last Modified: 21 October 2025
Version Permalink

Analytics

AN1443

Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) WinEventLog:Security EventCode=4624, 4672, 4634, 4768, 4769
Process Access (DC0035) WinEventLog:Sysmon EventCode=10
Mutable Elements
Field Description
TicketLifetimeThreshold Threshold for Kerberos TGT lifetimes deviating from domain defaults.
EncryptionTypes Monitor for downgraded encryption types (e.g., RC4) in Kerberos tickets.
ProcessAllowlist List of expected processes accessing LSASS; deviations may be suspicious.

AN1444

Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests.

Log Sources
Data Component Name Channel
File Access (DC0055) auditd:SYSCALL Access to /var/lib/sss/secrets/secrets.ldb or .secrets.mkey
Active Directory Credential Request (DC0084) linux:syslog Unusual kinit or klist activity
Mutable Elements
Field Description
SecretsAccessThreshold Alert threshold for frequency of access to Kerberos secrets files.
UnusualServiceAccounts Baseline accounts normally performing Kerberos requests; anomalies flagged.

AN1445

Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences.

Log Sources
Data Component Name Channel
Logon Session Metadata (DC0088) macos:unifiedlog Unusual Kerberos TGS-REQ without TGT or anomalous ticket lifetime
Mutable Elements
Field Description
TicketRequestPatterns Expected sequence of TGT followed by TGS requests; deviations may indicate forgery.
TicketLifetime Expected ticket lifetimes; anomalies may indicate Golden or Silver Tickets.