Detectionhightest

Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock

Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

François HubautCreated Tue Dec 28Updated Tue Nov 18a861d835-af37-4930-bcd6-5b178bfb54dfwindows

Log Source

WindowsPowerShell Script

ProductWindows← raw: windows

CategoryPowerShell Script← raw: ps_script

Definition

Requirements: Script Block Logging must be enabled

Detection Logic

detection:
    selection:
        ScriptBlockText|contains|all:
            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
            - '.GetRequest()'
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Sub-techniques

T1558.003 · Kerberoasting

Related Rules

SimilarDetectionhigh

Suspicious Kerberos Ticket Request via CLI

Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.

Detects similar activity. Both rules may fire on overlapping events.

Rule Metadata

Rule ID

a861d835-af37-4930-bcd6-5b178bfb54df

Status

test

Level

high

Type

Detection

Created

Tue Dec 28

Modified

Tue Nov 18

Author

François Hubaut

Path

rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml

Raw Tags

attack.credential-accessattack.t1558.003

View on GitHub