Kerberos Ticket Extraction via PowerShell

Last updated on:

In this page

Rule name

Rule type

Log sources

MITRE ATT&CK tags

Severity

Kerberos Ticket Extraction via PowerShell

Standard

Windows

Credential Access: Steal or Forge Kerberos Tickets - Kerberoasting (T1558.003)

Trouble

About the rule

Rule Type

Standard

Rule Description

Detects PowerShell activity associated with Kerberos ticket theft.

Why this rule?

Kerberos ticket extraction via PowerShell enables attackers to steal authentication tickets from memory, perform Kerberoasting attacks against service accounts with weak passwords, execute pass-the-ticket attacks to impersonate legitimate users without knowing their passwords, and ultimately achieve lateral movement and privilege escalation across Windows domains by abusing the Kerberos authentication protocol.

Severity

Trouble

Rule journey

Attack chain scenario

Credential Access → PowerShell Execution → Kerberos Ticket Extraction → Offline Password Cracking → Credential Compromise.

Impact

Attackers can extract Kerberos tickets for offline cracking, potentially compromising service account credentials and enabling lateral movement.

Rule Requirement

Prerequisites

Enable PowerShell Script Block Logging (Event ID 4104).

Criteria

Action1: actionname = "PowerShell Script Block Logged" AND ( SCRIPTEXECUTED contains "LsaCallAuthenticationPackage" ) AND ( SCRIPTEXECUTED contains "KerbRetrieveEncodedTicketMessage" OR SCRIPTEXECUTED contains "KerbRetrieveTicketMessage" OR SCRIPTEXECUTED contains "KerbQueryTicketCacheMessage" OR SCRIPTEXECUTED contains "KerbQueryTicketCacheExMessage" OR SCRIPTEXECUTED contains "KerbQueryTicketCacheEx2Message" OR SCRIPTEXECUTED contains "KerbDecryptDataMessage" ) select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED,Action1.DOMAIN,Action1.PATH,Action1.USERNAME

Detection

Execution Mode

realtime

Log Sources

Windows

MITRE ATT&CK

Credential Access: Steal or Forge Kerberos Tickets - Kerberoasting (T1558.003)

Future actions

Known False Positives

Legitimate PowerShell scripts used by administrators or security tools for authentication troubleshooting or authentication diagnostics.

Next Steps

  1. Identification: Identify the PowerShell script and user performing Kerberos ticket extraction.
  2. Analysis: Determine which service accounts or users had their tickets extracted.
  3. Response: Rotate service account passwords, investigate potential Kerberoasting attack, review access patterns.

Mitigation

ID

Mitigation

Description

M1041

Encrypt Sensitive Information

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[2]

M1027

Password Policies

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[2] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[2]

M1026

Privileged Account Management

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[2]

Awards & recognition

ManageEngine named in 2024 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  7th time in the MQ in 2024  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link