From 37024247ae013b5e59725d3d05282c71d23aaf47 Mon Sep 17 00:00:00 2001
From: Swachchhanda Shrawan Poudel
 <87493836+swachchhanda000@users.noreply.github.com>
Date: Sun, 23 Nov 2025 21:12:40 +0545
Subject: [PATCH] Merge PR #5761 from @swachchhanda000 - feat: Suspicious
 Kerberos ticket request via CLI

update: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock - Add the "GetRequest()" string
new: Suspicious Kerberos Ticket Request via CLI
---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
Co-authored-by: Nasreddine Bencherchali <nasbench@users.noreply.github.com>
---
 .../posh_ps_request_kerberos_ticket.yml       | 16 +++++---
 ...rberos_kerberos_ticket_request_via_cli.yml | 39 +++++++++++++++++++
 2 files changed, 50 insertions(+), 5 deletions(-)
 create mode 100644 rules/windows/process_creation/proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml

diff --git a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
index 5571476ac..ed2abfb91 100644
--- a/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
+++ b/rules/windows/powershell/powershell_script/posh_ps_request_kerberos_ticket.yml
@@ -1,14 +1,18 @@
-title: Request A Single Ticket via PowerShell
+title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
 id: a861d835-af37-4930-bcd6-5b178bfb54df
+related:
+    - id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
+      type: similar
 status: test
 description: |
-    utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
-    This behavior is typically used during a kerberos or silver ticket attack.
-    A successful execution will output the SPNs for the endpoint in question.
+    Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
+    This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
 references:
     - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
+    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
 author: frack113
 date: 2021-12-28
+modified: 2025-11-18
 tags:
     - attack.credential-access
     - attack.t1558.003
@@ -18,7 +22,9 @@ logsource:
     definition: 'Requirements: Script Block Logging must be enabled'
 detection:
     selection:
-        ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken
+        ScriptBlockText|contains|all:
+            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
+            - '.GetRequest()'
     condition: selection
 falsepositives:
     - Unknown
diff --git a/rules/windows/process_creation/proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml b/rules/windows/process_creation/proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml
new file mode 100644
index 000000000..8951b7605
--- /dev/null
+++ b/rules/windows/process_creation/proc_creation_win_powershell_kerberos_kerberos_ticket_request_via_cli.yml
@@ -0,0 +1,39 @@
+title: Suspicious Kerberos Ticket Request via CLI
+id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
+related:
+    - id: a861d835-af37-4930-bcd6-5b178bfb54df
+      type: similar
+status: experimental
+description: |
+    Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
+    Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
+    perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
+    techniques like silver ticket attacks.
+references:
+    - https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
+    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
+    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
+author: Swachchhanda Shrawan Poudel (Nextron Systems)
+date: 2025-11-18
+tags:
+    - attack.credential-access
+    - attack.t1558.003
+logsource:
+    category: process_creation
+    product: windows
+detection:
+    selection_img:
+        - Image|endswith:
+              - '\powershell.exe'
+              - '\pwsh.exe'
+        - OriginalFileName:
+              - 'powershell.exe'
+              - 'pwsh.dll'
+    selection_cli:
+        CommandLine|contains|all:
+            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
+            - '.GetRequest()'
+    condition: all of selection_*
+falsepositives:
+    - Legitimate command line usage by administrators or security tools.
+level: high