Request A Single Ticket via PowerShell
Last updated on:
In this page
Rule name | Rule type | Log sources | MITRE ATT&CK tags | Severity |
Request A Single Ticket via PowerShell | Standard | Windows | Credential Access: Steal or Forge Kerberos Tickets - Kerberoasting (T1558.003) | Critical |
About the rule
Rule Type
Standard
Rule Description
This detection identifies the use of native PowerShell modules that leverage the System.IdentityModel.Tokens.KerberosRequestorSecurityToken class to extract Service Principal Names (SPNs) for a single computer. This technique is commonly used during Kerberos-based attacks such as Kerberoasting or silver ticket attacks, where attackers attempt to request and crack service tickets offline to impersonate services and escalate privileges within the domain.
Severity
Trouble
Rule journey
Attack chain scenario
Exposed remote desktop services → Credential theft → Attacker SPNs query using PowerShell → TGS tickets harvested and cracked offline → Lateral movement
Impact
- Exposure of service account
- Impersonation of domain services
- Domain compromise
Rule Requirement
Prerequisites
Logon to Group Policy Management Console with administrative privileges and enable Module Logging for Windows PowerShell in the Group Policy Management Editor. Ensure to enter * in the Module Names window to record all modules. Similarly enable PowerShell Script Block Logging for Windows PowerShell. Finally, create a new registry key "Microsoft-Windows-Powershell/Operational" in the directory "Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\".
Criteria
Action1: actionname = "PowerShell Script Block Logged" AND SCRIPTEXECUTED contains "System.IdentityModel.Tokens.KerberosRequestorSecurityToken" select Action1.HOSTNAME,Action1.MESSAGE,Action1.SCRIPTEXECUTED
Detection
Execution Mode
realtime
Log Sources
Active Directory
MITRE ATT&CK
Credential Access: Steal or Forge Kerberos Tickets - Kerberoasting (T1558.003)
Security standard:
Enabling this rule will help you meet the security standard's requirement listed below:
DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events.
When this rule is triggered, you're notified of presence of System.IdentityModel.Tokens.KerberosRequestorSecurityToken in PowerShell script execution. This enables you to monitor runtime environments like PowerShell, identify potential credential compromises, and detect attempts to create AD snapshots.
Author
frack113
Future actions
Known False Positives
This rule might be triggered during internal IT operations or diagnostic scripts may legitimately invoke this token class.
Next Steps
When this rule is triggered, the following measures can be implemented:
- Identification: Identify if the flagged event is a new incident or part of an existing incident.
- Analysis: Analyze the impact and extent of the incident to comprehend the severity of the attack using the Incident Workbench.
- Response: Respond promptly by initiating an automated workflow to interrupt the network connections and cease the malicious process.
- Monitor TGS Activity: Enforce strong password policies and detect high TGS request rates
Mitigation
Mitigation ID | Mitigation Name | Mitigation description |
M1041 | Ensure that Domain Controller backups are properly secured and encrypted. | |
M1027 | Enforce complex and unique passwords for local administrator accounts across all systems in your network. | |
M1026 | Windows: Avoid placing user or admin domain accounts into local administrator groups across systems unless tightly controlled, as this can be equivalent to having a local admin account with the same password everywhere. Follow best practices for designing and administering an enterprise network to limit privileged account use across administrative tiers. Linux: Scraping passwords from memory typically requires root privileges. Adhere to best practices for restricting access to privileged accounts to prevent malicious programs from accessing sensitive memory regions. |
