1. Home
  2. ATT&CK Techniques
  3. T1558 Steal or Forge Kerberos Tickets

T1558 Steal or Forge Kerberos Tickets Mappings

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.

Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Attackers may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

View in MITRE ATT&CK®

NIST 800-53 Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
AC-16 Security and Privacy Attributes Protects T1558 Steal or Forge Kerberos Tickets
AC-17 Remote Access Protects T1558 Steal or Forge Kerberos Tickets
AC-18 Wireless Access Protects T1558 Steal or Forge Kerberos Tickets
AC-19 Access Control for Mobile Devices Protects T1558 Steal or Forge Kerberos Tickets
AC-2 Account Management Protects T1558 Steal or Forge Kerberos Tickets
AC-3 Access Enforcement Protects T1558 Steal or Forge Kerberos Tickets
AC-5 Separation of Duties Protects T1558 Steal or Forge Kerberos Tickets
AC-6 Least Privilege Protects T1558 Steal or Forge Kerberos Tickets
CA-7 Continuous Monitoring Protects T1558 Steal or Forge Kerberos Tickets
CM-2 Baseline Configuration Protects T1558 Steal or Forge Kerberos Tickets
CM-5 Access Restrictions for Change Protects T1558 Steal or Forge Kerberos Tickets
CM-6 Configuration Settings Protects T1558 Steal or Forge Kerberos Tickets
IA-2 Identification and Authentication (organizational Users) Protects T1558 Steal or Forge Kerberos Tickets
IA-5 Authenticator Management Protects T1558 Steal or Forge Kerberos Tickets
SC-4 Information in Shared System Resources Protects T1558 Steal or Forge Kerberos Tickets
SI-12 Information Management and Retention Protects T1558 Steal or Forge Kerberos Tickets
SI-3 Malicious Code Protection Protects T1558 Steal or Forge Kerberos Tickets
SI-4 System Monitoring Protects T1558 Steal or Forge Kerberos Tickets
SI-7 Software, Firmware, and Information Integrity Protects T1558 Steal or Forge Kerberos Tickets

Azure Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name Notes
alerts_for_windows_machines Alerts for Windows Machines technique_scores T1558 Steal or Forge Kerberos Tickets
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
  2. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference#alerts-windows
azure_sentinel Azure Sentinel technique_scores T1558 Steal or Forge Kerberos Tickets
Comments
This control only provides minimal to partial coverage for some this technique's sub-techniques, resulting in an overall score of Minimal.
References
  1. https://docs.microsoft.com/en-us/azure/sentinel/overview
  2. https://docs.microsoft.com/en-us/azure/sentinel/hunting
microsoft_defender_for_identity Microsoft Defender for Identity technique_scores T1558 Steal or Forge Kerberos Tickets
Comments
This control provides partial detection for most of this technique's sub-techniques, resulting in an overall Partial score.
References
  1. https://docs.microsoft.com/en-us/defender-for-identity/what-is
azure_defender_for_app_service Azure Defender for App Service technique_scores T1558 Steal or Forge Kerberos Tickets
Comments
This control only covers one procedure for one of this technique's sub-techniques, resulting in an overall Minimal score.
References
  1. https://docs.microsoft.com/en-us/azure/security-center/alerts-reference
  2. https://docs.microsoft.com/en-us/azure/security-center/defender-for-app-service-introduction
  3. https://azure.microsoft.com/en-us/services/app-service/
  4. https://docs.microsoft.com/en-us/azure/security-center/defender-for-servers-introduction
azure_ad_identity_secure_score Azure AD Identity Secure Score technique_scores T1558 Steal or Forge Kerberos Tickets
Comments
This control provides recommendations that lead to protections for some of the sub-techniques of this technique and therefore its overall protection coverage is Partial.
References
  1. https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/identity-secure-score
  2. https://techcommunity.microsoft.com/t5/azure-active-directory-identity/new-tools-to-block-legacy-authentication-in-your-organization/ba-p/1225302#
  3. https://docs.microsoft.com/en-us/defender-for-identity/cas-isp-unsecure-account-attributes
  4. https://techcommunity.microsoft.com/t5/microsoft-defender-for-identity/new-identity-security-posture-assessments-riskiest-lmps-and/m-p/1491675

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1558.004 AS-REP Roasting 22
T1558.001 Golden Ticket 13
T1558.003 Kerberoasting 23
T1558.002 Silver Ticket 20