- Home
- SIEM use cases
- Silver Ticket Attack Detection
How to detect Silver Ticket attacks
In this page
Threat snapshot
A Silver Ticket is a forged Kerberos service ticket. Where a Golden Ticket forges a TGT and can impersonate any user against any service in the domain, a Silver Ticket forges a TGS directly, granting persistent authenticated access to one specific service on one specific host. The scope is narrower, but the stealth advantage is significant: forging a TGS does not require contacting the KDC. The entire attack happens offline and then locally, with no network traffic to the domain controllers that would generate Kerberos authentication events.
To forge a Silver Ticket, the attacker needs the NTLM hash of the service account that runs the target service. For machine account services such as CIFS, HOST, or RPCSS running on a domain-joined computer, this means the machine account hash. For database services, web services, or application services running under dedicated service accounts, it means that service account's hash. These hashes are available to an attacker who has performed DCSync, dumped LSASS on the target machine, or extracted credentials from the Active Directory database.
Once forged, the Silver Ticket is presented directly to the target service. The service validates it using its own key (derived from its account hash) without consulting the KDC. A valid KDC signature is not present in the ticket, which is the forensic anomaly that modern Kerberos implementations can detect, but which most environments do not monitor for. The result: the attacker authenticates to the target service as any domain user they choose, including domain administrators, with the session appearing entirely legitimate from the service's perspective.
Silver Ticket attacks, at a glance
| Severity | Critical |
| Category | Identity & Access |
| Attack variants covered | Mimikatz-based Silver Ticket forging, Rubeus TGS forging, KrbRelay and KrbRelayUp service ticket relay, anomalous KDC-bypassing Kerberos service authentication |
| MITRE ATT&CK tactic | TA0006 - Credential Access |
| MITRE techniques | T1558.002 - Silver Ticket, T1558.003 - Kerberoasting (prerequisite hash acquisition), T1558 - Steal or Forge Kerberos Tickets |
| Platforms covered | Windows, Active Directory |
| Log360 detection rules |
|
| SOC maturity level | Level 3 - Incident Response |
| Compliance mapping | NIST CSF PR.AC-7, PCI-DSS 8.6, HIPAA Section 164.312(d), ISO 27001 A.9.4.2 |
How Silver Ticket attacks work
A Silver Ticket attack has two phases: service account hash acquisition, and ticket forging followed by service access. The diagram below illustrates both phases and the critical difference between legitimate and forged Kerberos service authentication.
Phase 1: Acquiring the service account hash
A Silver Ticket requires the NTLM hash of the account whose key is used to encrypt the target service ticket. For Windows built-in services such as CIFS (file sharing), HOST (remote management), RPCSS, HTTP, or MSSQL, this is typically the machine account hash (machinename$). For application services running under dedicated service accounts, it is that account's hash. The attacker obtains this hash via one of three routes: DCSync using Mimikatz's lsadump::dcsync command to replicate the hash directly from Active Directory (requires domain admin or replication rights), LSASS memory dump on the target machine or a DC to extract cached hashes, or Kerberoasting which requests a TGS for service accounts with SPNs and then offline-cracks it to recover the cleartext password and derive the NTLM hash.
Log signals for hash acquisition: Windows Security Event 4662 (operation performed on AD object) with replication GUIDs for DCSync. Sysmon Event 10 (process accessed) with lsass.exe as the target for LSASS dumping. Windows Security Event 4769 (TGS request) with RC4 encryption type for Kerberoasting. Sysmon Event 1 for Mimikatz or Rubeus process creation.
Phase 2: Forging and using the ticket
With the hash in hand, the attacker uses Mimikatz's kerberos::golden command (despite the name, it also forges Silver Tickets when the /service parameter is specified) or Rubeus's silver command to create a forged TGS. The ticket specifies the target service (e.g., cifs/fileserver01.domain.com), the impersonated user (typically Administrator or a domain admin), and is signed with the service account's hash. When the ticket is injected into the current session using /ptt (pass-the-ticket), the attacker can access the target service as the impersonated user.
The critical forensic property is what the forged TGS does not contain: a valid KDC Privilege Attribute Certificate (PAC) signature. Modern Windows DCs running in PAC validation mode can detect this, but this validation is not universally enabled. Environments that do not have PAC validation enforced have no service-side protection against Silver Tickets. Log360's detection focuses on the tooling layer (Mimikatz and Rubeus process creation and file artifacts) and the network anomaly layer (Kerberos service authentication that bypasses the normal TGT exchange pattern).
Log signals for ticket use: Sysmon Event 11 for .kirbi file creation in user-accessible paths (Mimikatz writes the forged ticket to disk when using the /ticket parameter). Windows Security Event 4624 with logon type 3 (network) for successful service access. The absence of corresponding Event 4768 (TGT request) or Event 4769 (TGS request) from the KDC for the same client and timeframe is the KDC-bypass anomaly that the Uncommon Outbound Kerberos Connection rule targets.
KrbRelay and KrbRelayUp: Kerberos service ticket relay
KrbRelay and KrbRelayUp are Kerberos relay tools that coerce SYSTEM-level Kerberos authentication from a Windows machine and relay it to a local or remote service to escalate privileges or gain unauthorized service access. They leverage the same fundamental property as Silver Tickets: a valid Kerberos service ticket can be obtained without the user's knowledge or consent by coercing the SYSTEM account to authenticate. KrbRelayUp specifically targets local privilege escalation by relaying SYSTEM authentication to the local LDAP service to grant DCSync or other elevated rights. Both tools produce distinctive process creation signatures detectable via Sysmon Event 1.
Real-world campaigns
APT actors: Silver Tickets for persistent, low-noise lateral movement
Silver Tickets are preferred by sophisticated threat actors for post-compromise lateral movement to specific high-value services because they generate no KDC authentication events. An APT group that has obtained machine account hashes via DCSync can forge CIFS tickets for file servers or HTTP tickets for internal web applications and access those services repeatedly over extended periods without any authentication traffic appearing on domain controllers. This makes Silver Ticket-based access particularly difficult to detect via standard KDC log analysis and explains why detection must focus on the tooling layer and anomalous Kerberos network behavior rather than traditional authentication event monitoring.
Ransomware pre-deployment: CIFS Silver Tickets for mass file server access
Several ransomware operators have been documented using Silver Tickets targeting the CIFS service on file servers as part of their pre-encryption data staging phase. With a forged CIFS ticket for the file server's machine account, the attacker has authenticated access to all file shares on that server as an Administrator, without triggering any authentication events on the domain controllers. The files can be enumerated, staged for exfiltration, or directly targeted for encryption using this access. The absence of corresponding KDC events for what appears to be a successful file server authentication is the primary network anomaly indicator.
Attack technique reference table
| Tool / method | Hash requirement | Target service | Detectable by |
|---|---|---|---|
| Mimikatz kerberos::golden /service | Service account or machine account NTLM hash | Any Kerberos-enabled service (CIFS, HTTP, MSSQL, HOST, RPCSS) | HackTool - Mimikatz Execution, Mimikatz Detection, HackTool - Mimikatz Kirbi File Creation |
| Rubeus silver | Service account NTLM hash or AES key | Any Kerberos-enabled service | Rubeus detection |
| KrbRelay | None - coerces SYSTEM auth | Local or remote LDAP, SMB, HTTP | HackTool - KrbRelay Execution |
| KrbRelayUp | None - coerces SYSTEM auth | Local LDAP (privilege escalation) | HackTool - KrbRelayUp Execution |
| Pass-the-Ticket using forged TGS | Hash already obtained | Service specified in forged ticket | Uncommon Outbound Kerberos Connection, HackTool - Mimikatz Kirbi File Creation |
Business impact
- No KDC visibility means standard Kerberos monitoring fails entirely. The defining property of Silver Ticket attacks is that the KDC is not involved in ticket validation. Every detection strategy that relies on KDC logs, Event 4768, or Event 4769 will see nothing. The only monitoring layers that catch Silver Tickets are endpoint-level tooling detection (Mimikatz, Rubeus process creation) and network anomaly detection for Kerberos service presentations without corresponding TGT requests.
- Persistent service-specific access that survives password resets. A Silver Ticket forged from a machine account hash remains valid until the machine account password is rotated, which by default happens every 30 days automatically. During that window, the attacker has persistent access to all services on that machine. Rotating domain admin passwords, krbtgt passwords, or even the service account's AD password does not invalidate a Silver Ticket already in use, because the ticket is validated by the service using its own cached key, not by querying AD.
- Targeted access to high-value services. Silver Tickets can target any Kerberos-enabled service: CIFS for file access, HTTP for internal web applications, MSSQL for database access, HOST for remote desktop sessions, RPCSS for remote procedure calls. An attacker with the hash for a database server's machine account has authenticated SQL access to that server as any user they choose. The specificity of targeting makes Silver Ticket attacks harder to detect via volume-based anomaly detection because access volume may match normal patterns.
- Compliance and breach assessment complexity. Because Silver Ticket access generates no KDC authentication events and presents as a legitimate service session from the service's perspective, determining the full scope of what an attacker accessed using a Silver Ticket requires endpoint-level forensic analysis of the affected service's logs rather than centralized KDC or domain controller log review. This significantly complicates breach scope determination and extends the time required for accurate incident assessment.
Detecting Silver Ticket attacks with Log360
Log360's seven detection rules for Silver Ticket attacks cover three distinct detection layers. The first layer catches the tooling used to forge tickets (Mimikatz execution and Kirbi file creation, Rubeus execution). The second layer catches the relay tools that obtain service tickets via coercion (KrbRelay, KrbRelayUp). The third layer catches the behavioral anomaly of Kerberos service authentication that bypasses normal KDC interaction (Uncommon Outbound Kerberos Connection). For endpoint-based rules, Sysmon must be deployed on domain-joined endpoints with process creation (Event 1) and file creation (Event 11) logging enabled and forwarding to Log360.
Ticket forging tool detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| HackTool - Mimikatz Kirbi File Creation | Critical | Windows | T1558 | Creation of a .kirbi file on disk, detected via Sysmon Event 11 (file creation). A .kirbi file is the binary format in which Kerberos tickets are stored and exported by Mimikatz. Mimikatz writes .kirbi files when using the kerberos::list /export command to export existing tickets, or when forging Silver or Golden Tickets with the /ticket parameter. Critical severity because .kirbi file creation in user-accessible paths has no legitimate use outside of authorized security assessments. Any .kirbi file in a temp, download, or user profile directory is a high-confidence indicator of active ticket manipulation. |
| HackTool - Mimikatz Execution | Trouble | Windows | T1003.001 | Mimikatz binary execution detected via Sysmon process creation (Event 1) based on its known binary signatures, command-line patterns, or parent-child process relationships. Mimikatz is the primary tool for both obtaining the service account hashes needed for Silver Ticket forging (sekurlsa::logonpasswords, lsadump::dcsync) and for the forging itself. Detecting Mimikatz execution provides coverage for the full Silver Ticket workflow even if the specific Silver Ticket forging commands are not individually identified. |
| Mimikatz Detection | Critical | Windows | T1003 | Advanced rule covering Mimikatz execution patterns including renamed binaries, reflective loading, and in-memory execution that may not match standard binary signature detection. Complements HackTool - Mimikatz Execution by providing broader coverage for obfuscated or living-off-the-land Mimikatz execution techniques that attackers use to evade signature-based detection. Critical severity due to the breadth of attacks Mimikatz enables. |
| Rubeus detection | Critical | Windows | T1558.003 | Rubeus binary or in-memory execution detected via Sysmon process creation or behavioral patterns. Rubeus is a C# Kerberos toolkit that includes dedicated Silver Ticket forging capability via its silver command, pass-the-ticket via ptt, and ticket export via dump. It is widely used as a modern alternative to Mimikatz for Kerberos attacks specifically because it executes as a managed .NET assembly that can be loaded entirely in memory. Critical severity because Rubeus execution in a production environment has no legitimate use case. |
Kerberos relay tool detection
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| HackTool - KrbRelay Execution | Trouble | Windows | T1558.003 | KrbRelay binary execution detected via Sysmon process creation. KrbRelay coerces SYSTEM-level Kerberos authentication from the target machine and relays it to a Kerberos-enabled service (LDAP, SMB, HTTP) to perform operations under the SYSTEM account's identity, bypassing standard authorization controls. It is used to obtain service tickets for services the attacker wants to access and to grant elevated permissions to attacker-controlled accounts via LDAP relay. |
| HackTool - KrbRelayUp Execution | Trouble | Windows | T1558.003 | KrbRelayUp binary execution detected via Sysmon process creation. KrbRelayUp is a simplified version of KrbRelay specifically designed for local privilege escalation: it coerces SYSTEM authentication, relays it to the local LDAP service, and grants DCSync or shadow credentials to an attacker-controlled account, enabling domain-level access from a low-privilege starting position. Its execution on any domain-joined machine should trigger immediate incident response. |
Anomalous Kerberos network behavior
| Rule name | Severity | Platform | MITRE technique | What it detects |
|---|---|---|---|---|
| Uncommon Outbound Kerberos Connection | Trouble | Windows | T1558 | Kerberos authentication traffic (TCP/UDP port 88) to an unusual destination, or a Kerberos service ticket presentation that deviates from the normal pattern of TGT acquisition followed by TGS request. Silver Ticket use is detectable at the network layer because the attacker presents a TGS to the target service without any preceding TGT request to the KDC from the same client. This rule covers both the anomalous destination pattern (Kerberos traffic to non-DC hosts indicating ticket replay) and the temporal anomaly pattern (service ticket presentation without corresponding KDC interaction). Provides the behavioral detection layer that catches Silver Ticket use even when Mimikatz and Rubeus are not directly detected. |
Attack chain visibility
The two sequences below show what Silver Ticket attacks look like in the logs, covering both the Mimikatz-based and Rubeus-based forging paths. The defining feature in both sequences is what is absent: no Event 4768 or 4769 from the KDC corresponding to the service access.
Sequence A: Mimikatz Silver Ticket against file server CIFS service
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Windows Security Event 4662 on DC (replication) | Mimikatz DCSync executed against the file server's machine account (fileserver01$). The NTLM hash of fileserver01$ is extracted. This is the hash acquisition step. Mimikatz Detection or HackTool - Mimikatz Execution rule fires. | T+0 |
| 2 | Sysmon Event 11 (file creation) on attacker host | A .kirbi file is created in a user temp or download path on the attacker's machine. HackTool - Mimikatz Kirbi File Creation rule fires. The Silver Ticket for fileserver01 CIFS has been forged and written to disk. | T+2 min |
| 3 | Windows Security Event 4624 (Type 3, NTLM) on fileserver01 | A successful network logon to fileserver01 appears as domain\Administrator. No corresponding Event 4768 or 4769 exists on any DC for this logon. The Uncommon Outbound Kerberos Connection rule fires on the anomalous Kerberos service ticket presentation pattern. | T+3 min |
| 4 | Windows Security Event 4663 on fileserver01 (file access) | Mass file access events from the domain\Administrator identity begin on fileserver01. The attacker is accessing or staging files for exfiltration using the forged CIFS ticket. All access appears as a legitimate Administrator session from the service's perspective. | T+3 min onward |
Sequence B: KrbRelayUp local privilege escalation
| Step | Log source and event | What it indicates | Time offset |
|---|---|---|---|
| 1 | Sysmon Event 1 (Process Creation) on target host | KrbRelayUp.exe executes on a machine where the attacker has low-privilege access. HackTool - KrbRelayUp Execution rule fires. The tool will coerce SYSTEM authentication and relay it to the local LDAP service. | T+0 |
| 2 | Windows Security Event 4662 on DC (LDAP write) | The relayed SYSTEM authentication to LDAP writes shadow credentials (msDS-KeyCredentialLink) or DCSync rights to an attacker-controlled account. The access is attributed to the machine account, not the attacker's user account. | T+1 min |
| 3 | Windows Security Event 4768 (Kerberos TGT) on DC | PKINIT authentication using the shadow credentials yields a TGT for the machine account. The attacker now has a Kerberos ticket for the machine account, enabling DCSync and full domain compromise from what was initially a low-privilege foothold. | T+2 min |
Investigation playbook
Silver Ticket investigations are complicated by the absence of KDC logs. The investigation must be reconstructed from endpoint-level evidence: the tooling artifacts (Mimikatz/Rubeus process creation, .kirbi files), the network anomaly signals from the Uncommon Outbound Kerberos Connection rule, and the service-level access logs on the targeted hosts.
Step 1: Triage - identify the detection layer and scope
| Rule that fired | What it means | Immediate scope | First action |
|---|---|---|---|
| HackTool - Mimikatz Kirbi File Creation | A Kerberos ticket has been forged or exported to disk. Silver or Golden Ticket in progress. | The host where the .kirbi file was created. Determine which service the ticket targets from the filename or file content. | Identify the .kirbi file path from the Sysmon Event 11 record. Check parent process from the same time window. Determine the target service and host from the ticket content if accessible. |
| HackTool - Mimikatz Execution or Mimikatz Detection | Mimikatz is running on an endpoint. Both hash extraction and ticket forging are possible. | The host running Mimikatz. All service account hashes accessible from that host or via DCSync should be treated as compromised. | Identify the Mimikatz command-line arguments from Sysmon Event 1. Determine whether DCSync, sekurlsa, or kerberos commands were used. Assume all reachable service hashes are now in attacker hands. |
| Rubeus detection | Rubeus is running. Silver Ticket forging, Kerberoasting, or ticket manipulation is in progress. | The host running Rubeus and any services it is targeting. | Identify Rubeus arguments. If silver command detected, identify the target service and SPN. If dump command detected, assume all Kerberos tickets in memory on that host are compromised. |
| Uncommon Outbound Kerberos Connection | Kerberos service authentication is occurring without the normal KDC ticket exchange pattern, indicating possible Silver Ticket use. | The source host and target service identified in the network event. | Check the source host for Mimikatz or Rubeus execution in the same time window. Check whether there are Event 4768/4769 records on any DC for the same client IP and time period. Absence of KDC records alongside successful service access confirms Silver Ticket use. |
| HackTool - KrbRelay or KrbRelayUp Execution | Kerberos relay attack in progress. Local or remote privilege escalation via SYSTEM authentication relay. | The host running the relay tool and the LDAP or SMB service being targeted. | Check AD for new msDS-KeyCredentialLink attribute writes or new ACL grants on high-privilege AD objects in the same time window. Treat as active privilege escalation. |
Step 2: Identify which service accounts and hashes are compromised
- If Mimikatz DCSync commands were detected, identify all accounts whose hashes were requested from the Event 4662 records on domain controllers. Each account whose hash was extracted should be treated as compromised for Silver Ticket purposes: the attacker can forge service tickets for any service running under those accounts.
- If LSASS dumping was detected (Sysmon Event 10 targeting lsass.exe), identify all accounts with active sessions on the compromised host at the time of the dump. Those accounts' hashes were in LSASS memory and should be treated as extracted.
- Check whether machine account hashes for high-value servers (file servers, database servers, domain controllers) were included in the scope of any DCSync or LSASS dump operation. Machine account hashes enable Silver Tickets for CIFS, HTTP, HOST, RPCSS, and other built-in services on those machines.
- Query the Uncommon Outbound Kerberos Connection alerts to identify which specific services have already been accessed using Silver Tickets. Each anomalous Kerberos connection to a service that lacks corresponding KDC records represents confirmed Silver Ticket access to that service.
Step 3: Investigate using the Incident Workbench
- Click on the affected hostname or compromised account in the alert to open the Incident Workbench. Use the Process analytics tab on the host where Mimikatz, Rubeus, or the relay tools were detected. The process tree shows what spawned the attack tool, providing the prior compromise chain that gave the attacker access to the machine.
- Use the User analytics tab for any domain accounts impersonated in Silver Ticket sessions. UEBA anomaly scores will spike for accounts that are simultaneously showing normal activity on their assigned workstations and Silver Ticket-based access to services from a different source IP.
- Use Advanced Threat Analytics on external IPs involved in any C2 activity identified from the process tree to pull threat feed risk scores and confirm the attack infrastructure context.
- Save the Incident Workbench session to an incident. Silver Ticket incidents almost always represent a deeper compromise than the initial alert suggests; the saved session documents the scope of the investigation for stakeholder reporting.
Step 4: Scope the forged ticket exposure window
- Identify the time of earliest Mimikatz or Rubeus detection. Any service access from the attack source IP to high-value services after that time should be reviewed as potentially Silver Ticket-based, even if no Kerberos anomaly rule fired for it.
- Review service-level logs on each targeted host for access attributed to high-privilege accounts (Administrator, domain admin accounts) from the attack source IP or from unexpected sources. These access events are the forensic record of what the attacker did using the Silver Ticket access.
- Determine whether any .kirbi files were exfiltrated from the compromised machine. .kirbi files can be used from any machine with network access to the target service; if the file was exfiltrated, the Silver Ticket access window extends beyond the original compromised host.
Step 5: Collect evidence and build the timeline
- Export Sysmon Event 1 (process creation with full command line), Event 10 (LSASS access), and Event 11 (file creation of .kirbi files) from the compromised host for the attack window.
- Export Windows Security Event 4662 from domain controllers for DCSync operations in the attack window. These records document which account hashes were extracted.
- Export service access logs from targeted hosts showing access by high-privilege accounts from the attack source IP during the Silver Ticket window.
- Export the Incident Workbench session and UEBA risk score history as the evidence record for incident documentation and breach assessment.
Response and remediation
Immediate containment
- Rotate all service account passwords and machine account passwords for any account whose hash was extracted. Service account password rotation is straightforward. Machine account password rotation requires forcing a password change on the machine account via
Reset-ComputerMachinePasswordon the affected machine, which invalidates any outstanding Silver Tickets forged using the old hash. - Rotate the krbtgt password twice as part of Silver Ticket remediation when DCSync was confirmed. This ensures no outstanding Golden Tickets remain valid, and it forces re-issuance of all TGTs, which invalidates any pass-the-ticket sessions derived from legitimate TGTs that may have been injected alongside Silver Tickets.
- Isolate the host where Mimikatz or Rubeus ran from the network immediately. The machine is compromised and is the attacker's operational platform for the current phase of the attack. Isolation prevents the use of already-forged tickets still in the attacker's possession.
- Delete any .kirbi files identified on compromised or accessible machines. .kirbi files are portable and reusable; their presence on any machine means that machine or any machine it can reach has the material for Silver Ticket replay.
Response actions by trigger
| Trigger | Immediate action | Owner |
|---|---|---|
| HackTool - Mimikatz Kirbi File Creation (Critical) | Isolate the host. Identify the target service from the .kirbi file. Rotate the relevant service or machine account password immediately. Check targeted service access logs. | SOC L3 + AD Team |
| Rubeus detection (Critical) | Isolate the host. Identify Rubeus command from process arguments. If silver command detected, rotate targeted service account hash. If dump command detected, rotate all accounts with active sessions on that host. | SOC L3 + Incident Response |
| Uncommon Outbound Kerberos Connection with no KDC records | Confirm Silver Ticket use. Identify source host and target service. Rotate target service account password. Review service access logs from the ticket window. Check source host for Mimikatz/Rubeus. | SOC L2 + SOC L3 |
| HackTool - KrbRelayUp Execution | Isolate host. Check AD for new shadow credentials or new ACL grants on high-privilege objects. Remove any attacker-written msDS-KeyCredentialLink entries. Treat as active privilege escalation - declare incident. | SOC L3 + Incident Response |
Hardening
- Enable PAC validation on all domain controllers. Setting the
ValidateKdcPacSignatureregistry value to 1 on domain controllers enables server-side validation that TGS tickets include a valid KDC PAC signature. Forged Silver Tickets do not have this signature and will be rejected. This is the most direct preventive control against Silver Ticket attacks but requires testing in environments with legacy applications that may not produce valid PAC signatures. - Use Group Managed Service Accounts (gMSAs) for all service accounts. gMSAs use 240-character randomly generated passwords that rotate automatically, making offline cracking and hash reuse for Silver Tickets impractical. Replacing traditional service accounts with gMSAs eliminates the hash acquisition step for those accounts.
- Enable Credential Guard on domain-joined endpoints. Windows Defender Credential Guard stores NTLM hashes and Kerberos tickets in a virtualization-based security enclave that is inaccessible to Mimikatz's sekurlsa module, blocking the LSASS dump hash acquisition path for Silver Tickets.
- Implement a tiered administration model that prevents domain admin credentials from ever being cached on workstations or application servers. If domain admin hashes are never present in LSASS outside of designated Tier 0 management machines, the scope of potential Silver Ticket targets is significantly reduced.
False positive tuning
| False positive source | Rules affected | Tuning strategy |
|---|---|---|
| Authorized penetration testing and red team exercises | All 7 detection rules | Create time-bounded exceptions scoped to the authorized assessment source IP range and tied to the approved change ticket. Mimikatz Kirbi File Creation and Rubeus detection rules should never have permanent exclusions in production environments. Remove exceptions immediately when the assessment window closes. |
| Legitimate Kerberos delegation in complex application architectures | Uncommon Outbound Kerberos Connection | Multi-tier application architectures using constrained or unconstrained Kerberos delegation can generate Kerberos service ticket presentations that deviate from the standard single-hop TGT-to-TGS pattern. Document all applications using Kerberos delegation and their expected Kerberos traffic patterns. Create allowlist entries for specific source-to-destination Kerberos connections that are confirmed legitimate. Alert on Kerberos service presentations from any source not in the delegation allowlist. |
| Security tooling that reads .kirbi files for legitimate analysis | HackTool - Mimikatz Kirbi File Creation | Legitimate security tools such as Kerberos ticket analyzers or forensic tools may create or read .kirbi format files as part of authorized security operations. Create an allowlist scoped to specific authorized security tool executables and the specific authorized user accounts permitted to run them. Any .kirbi file creation from a process not in the authorized list should always alert. |
| Mimikatz used by authorized security team for password auditing | HackTool - Mimikatz Execution, Mimikatz Detection | Internal red teams or security operations staff may use Mimikatz in authorized assessments. Create time-bounded exceptions tied to approved work orders and scoped to the specific authorized machine and user account. Never create a permanent exclusion for Mimikatz execution from any account on any production machine. Mimikatz execution outside of an authorized assessment window is always high-priority regardless of the executing account. |
