Esc
Steal or Forge Kerberos Tickets - T1558
(ATT&CK® Technique)
Definition
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC). Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1558["Steal or Forge Kerberos Tickets"] --> |may-produce| RPCNetworkTraffic["RPC Network Traffic"]; class T1558 OffensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode; click RPCNetworkTraffic href "/dao/artifact/d3f:RPCNetworkTraffic";
click T1558 href "/offensive-technique/attack/T1558/"; click RPCNetworkTraffic href "/dao/artifact/d3f:RPCNetworkTraffic"; T1558["Steal or Forge Kerberos Tickets"] --> |may-access| KerberosTicket["Kerberos Ticket"]; class T1558 OffensiveTechniqueNode;
class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
click T1558 href "/offensive-technique/attack/T1558/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; T1558["Steal or Forge Kerberos Tickets"] --> |may-create| KerberosTicket["Kerberos Ticket"]; class T1558 OffensiveTechniqueNode;
class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
click T1558 href "/offensive-technique/attack/T1558/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; T1558["Steal or Forge Kerberos Tickets"] --> |forges| KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"]; class T1558 OffensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode; click KerberosTicketGrantingTicket href "/dao/artifact/d3f:KerberosTicketGrantingTicket";
click T1558 href "/offensive-technique/attack/T1558/"; click KerberosTicketGrantingTicket href "/dao/artifact/d3f:KerberosTicketGrantingTicket"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | KerberosTicket["Kerberos Ticket"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1558["Steal or Forge Kerberos Tickets"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | KerberosTicket["Kerberos Ticket"];
class DecoyUserCredential DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; RPCTrafficAnalysis["RPC Traffic Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
RPCTrafficAnalysis["RPC Traffic Analysis"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class RPCTrafficAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click RPCTrafficAnalysis href "/technique/d3f:RPCTrafficAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1558["Steal or Forge Kerberos Tickets"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | KerberosTicket["Kerberos Ticket"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1558["Steal or Forge Kerberos Tickets"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRotation["Credential Rotation"] -->
| regenerates | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1558["Steal or Forge Kerberos Tickets"] ;
class CredentialRotation DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; TokenBinding["Token Binding"] -->
| strengthens | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
TokenBinding["Token Binding"] -.->
| may-harden | T1558["Steal or Forge Kerberos Tickets"] ;
class TokenBinding DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; TokenBinding["Token Binding"] -->
| strengthens | KerberosTicket["Kerberos Ticket"];
class TokenBinding DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; CredentialRotation["Credential Rotation"] -->
| regenerates | KerberosTicket["Kerberos Ticket"];
class CredentialRotation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; CredentialRevocation["Credential Revocation"] -->
| deletes | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1558["Steal or Forge Kerberos Tickets"] ;
class CredentialRevocation DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRevocation["Credential Revocation"] -->
| deletes | KerberosTicket["Kerberos Ticket"];
class CredentialRevocation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | KerberosTicket["Kerberos Ticket"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1558["Steal or Forge Kerberos Tickets"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
class CredentialTransmissionScoping DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | RPCNetworkTraffic["RPC Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1558["Steal or Forge Kerberos Tickets"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; ReissueCredential["Reissue Credential"] -->
| restores | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1558["Steal or Forge Kerberos Tickets"] ;
class ReissueCredential DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; ReissueCredential["Reissue Credential"] -->
| restores | KerberosTicket["Kerberos Ticket"];
class ReissueCredential DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1558["Steal or Forge Kerberos Tickets"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | KerberosTicket["Kerberos Ticket"];
class Multi-factorAuthentication DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
Token-basedAuthentication["Token-based Authentication"] -.->
| may-harden | T1558["Steal or Forge Kerberos Tickets"] ;
class Token-basedAuthentication DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | KerberosTicket["Kerberos Ticket"];
class Token-basedAuthentication DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; CredentialHardening["Credential Hardening"] -->
| hardens | KerberosTicketGrantingTicket["Kerberos Ticket Granting Ticket"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1558["Steal or Forge Kerberos Tickets"] ;
class CredentialHardening DefensiveTechniqueNode;
class KerberosTicketGrantingTicket ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening"; CredentialHardening["Credential Hardening"] -->
| hardens | KerberosTicket["Kerberos Ticket"];
class CredentialHardening DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening";