Merge PR #5761 from @swachchhanda000 - feat: Suspicious Kerberos ticket request via CLI

update: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock - Add the "GetRequest()" string new: Suspicious Kerberos Ticket Request via CLI --------- Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
2025-11-23 21:12:40 +05:45
parent 0d7658fb3a
commit 37024247ae
2 changed files with 50 additions and 5 deletions
@@ -1,14 +1,18 @@
-title: Request A Single Ticket via PowerShell
+title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
 id: a861d835-af37-4930-bcd6-5b178bfb54df
+related:
+    - id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
+      type: similar
 status: test
 description: |
-    utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
-    This behavior is typically used during a kerberos or silver ticket attack.
-    A successful execution will output the SPNs for the endpoint in question.
+    Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
+    This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
 references:
    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
+    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
 author: frack113
 date: 2021-12-28
+modified: 2025-11-18
 tags:
    - attack.credential-access
    - attack.t1558.003
@@ -18,7 +22,9 @@ logsource:
    definition: 'Requirements: Script Block Logging must be enabled'
 detection:
    selection:
-        ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken
+        ScriptBlockText|contains|all:
+            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
+            - '.GetRequest()'
    condition: selection
 falsepositives:
    - Unknown
@@ -0,0 +1,39 @@
+title: Suspicious Kerberos Ticket Request via CLI
+id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
+related:
+    - id: a861d835-af37-4930-bcd6-5b178bfb54df
+      type: similar
+status: experimental
+description: |
+    Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
+    Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
+    perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
+    techniques like silver ticket attacks.
+references:
+    - https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
+    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-11-18
+tags:
+    - attack.credential-access
+    - attack.t1558.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'powershell.exe'
+              - 'pwsh.dll'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
+            - '.GetRequest()'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate command line usage by administrators or security tools.
+level: high