T1558 Steal or Forge Kerberos Tickets Mappings

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
CA-07 Continuous Monitoring mitigates T1558 Steal or Forge Kerberos Tickets
CM-06 Configuration Settings mitigates T1558 Steal or Forge Kerberos Tickets
CM-05 Access Restrictions for Change mitigates T1558 Steal or Forge Kerberos Tickets
IA-05 Authenticator Management mitigates T1558 Steal or Forge Kerberos Tickets
AC-17 Remote Access mitigates T1558 Steal or Forge Kerberos Tickets
AC-19 Access Control for Mobile Devices mitigates T1558 Steal or Forge Kerberos Tickets
SC-04 Information in Shared System Resources mitigates T1558 Steal or Forge Kerberos Tickets
SI-12 Information Management and Retention mitigates T1558 Steal or Forge Kerberos Tickets
SI-03 Malicious Code Protection mitigates T1558 Steal or Forge Kerberos Tickets
SI-07 Software, Firmware, and Information Integrity mitigates T1558 Steal or Forge Kerberos Tickets
AC-16 Security and Privacy Attributes mitigates T1558 Steal or Forge Kerberos Tickets
AC-18 Wireless Access mitigates T1558 Steal or Forge Kerberos Tickets
CM-02 Baseline Configuration mitigates T1558 Steal or Forge Kerberos Tickets
IA-02 Identification and Authentication (Organizational Users) mitigates T1558 Steal or Forge Kerberos Tickets
SI-04 System Monitoring mitigates T1558 Steal or Forge Kerberos Tickets
AC-02 Account Management mitigates T1558 Steal or Forge Kerberos Tickets
AC-03 Access Enforcement mitigates T1558 Steal or Forge Kerberos Tickets
AC-05 Separation of Duties mitigates T1558 Steal or Forge Kerberos Tickets
AC-06 Least Privilege mitigates T1558 Steal or Forge Kerberos Tickets

VERIS Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558 Steal or Forge Kerberos Tickets

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1558.005 Ccache Files 12
T1558.004 AS-REP Roasting 23
T1558.001 Golden Ticket 10
T1558.002 Silver Ticket 21
T1558.003 Kerberoasting 24