PowerShell Kerberos Ticket Dump

  1[metadata]
  2creation_date = "2023/07/26"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/01/26"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell script block content that references LSA Kerberos ticket retrieval APIs and Kerb* message types.
 11Attackers dump Kerberos tickets from memory to reuse credentials and move laterally.
 12"""
 13from = "now-9m"
 14index = ["winlogbeat-*", "logs-windows.powershell*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "PowerShell Kerberos Ticket Dump"
 18note = """## Triage and analysis
 19
 20> **Disclaimer**:
 21> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 22
 23### Investigating PowerShell Kerberos Ticket Dump
 24
 25This alert identifies PowerShell script block content referencing the LSA Kerberos authentication package API `LsaCallAuthenticationPackage` along with Kerberos ticket cache query and ticket retrieval message types. This pattern is consistent with tooling that enumerates, extracts, or manipulates Kerberos tickets from memory, which can enable credential reuse and lateral movement.
 26
 27#### Key alert fields to review
 28
 29- `user.name`, `user.domain`, `user.id`: Account execution context for correlation, prioritization, and scoping.
 30- `host.name`, `host.id`: Host execution context for correlation, prioritization, and scoping.
 31- `powershell.file.script_block_text`: Script block content that matched the detection logic.
 32- `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`: Script block metadata to pivot to other fragments or reconstruct full script content when split across multiple events.
 33- `file.path`, `file.directory`, `file.name`: File-origin context when the script block is sourced from an on-disk file.
 34- `powershell.file.script_block_length`: Script block length (size) context.
 35
 36#### Possible investigation steps
 37
 38- Reconstruct and preserve the full script content:
 39  - Use `powershell.file.script_block_id` to gather all related fragments and order them by `powershell.sequence` up to `powershell.total`.
 40  - Preserve the reconstructed content from `powershell.file.script_block_text` for case notes and to support environment-wide scoping.
 41  - Use `powershell.file.script_block_length` to understand whether the content is a full implementation, a loader/stager, or a small inline snippet that may be part of a larger sequence of script blocks.
 42
 43- Identify the specific Kerberos capability referenced:
 44  - Review `powershell.file.script_block_text` and note which message types are present. Use this to prioritize severity and intent:
 45    - Cache enumeration indicators: `KerbQueryTicketCacheMessage`, `KerbQueryTicketCacheExMessage`, `KerbQueryTicketCacheEx2Message`
 46    - Ticket retrieval/export indicators: `KerbRetrieveTicketMessage`, `KerbRetrieveEncodedTicketMessage`
 47    - Ticket-related decryption indicators: `KerbDecryptDataMessage`
 48  - Determine whether the script only defines interop types/functions or includes invocation logic that executes ticket operations and processes results.
 49  - Look for signs that output is being prepared for reuse or transfer (e.g., structured serialization, encoding, or explicit output handling). If `file.path` is populated, assess whether the script is associated with a specific on-disk source.
 50
 51- Validate execution context and plausibility:
 52  - Review `@timestamp`, `host.name`/`host.id`, and `user.name`/`user.domain`/`user.id` to confirm where and under which identity the activity occurred.
 53  - Assess whether the user and host context align with expected administrative or troubleshooting activity in your environment. Unexpected use by standard users, or on endpoints where administrative scripting is uncommon, should be treated as higher risk.
 54  - If `file.path`/`file.name` (and `file.directory`, if present) indicate an on-disk origin, evaluate whether the location is consistent with approved scripts. Treat user-writable and temporary locations as higher risk, especially when combined with ticket retrieval/decryption indicators.
 55
 56- Scope for additional PowerShell activity on the same host and user:
 57  - Pivot on `host.id` and `user.id` to review other script block activity near `@timestamp` to identify precursors (staging, discovery) and follow-on actions (additional credential access attempts, lateral movement preparation).
 58  - Check for repeated execution patterns: multiple script blocks with similar content, repeated `powershell.file.script_block_id` occurrences, or the same `file.name` appearing multiple times in a short window.
 59
 60- Assess prevalence across the environment:
 61  - Search for the same or highly similar `powershell.file.script_block_text` content (or distinctive substrings) across hosts to determine whether this is isolated or widespread.
 62  - If `file.name` is present, look for the same script name used across multiple hosts. Consistent, predictable use may indicate managed tooling; sporadic or single-host use may indicate targeted activity.
 63
 64- Correlate with adjacent telemetry (when available):
 65  - Process telemetry: identify the PowerShell execution instance that produced the script block and determine the initiating process to establish whether execution was interactive, scheduled, or launched by another application.
 66  - File telemetry: review for newly created or modified artifacts near `@timestamp` that could store extracted ticket material or related output.
 67  - Network and authentication telemetry: review subsequent outbound activity and authentication attempts associated with the same host and/or user to identify potential ticket reuse and rapid lateral movement following the script execution.
 68
 69### False positive analysis
 70
 71- Some legitimate Kerberos troubleshooting and diagnostics workflows can reference LSA Kerberos APIs to query ticket cache state. Validate whether the script source (`file.path`/`file.name`), execution context (`user.id`, `host.id`), and timing align with an approved operational process.
 72- Administrative automation or security tooling may include Kerberos interop code for visibility or health checks. Benign usage is typically repeatable (consistent script content, consistent script origin, predictable execution patterns) and tied to known administrative accounts.
 73- Prioritize deeper investigation when the activity is one-off, appears only on a single host, is executed by unexpected users, or includes retrieval/decryption indicators rather than simple cache query logic.
 74
 75### Response and remediation
 76
 77- If the activity is unexpected or cannot be validated as authorized:
 78  - Isolate the affected host to reduce the risk of credential theft and lateral movement.
 79  - Preserve evidence for scoping: retain the reconstructed `powershell.file.script_block_text`, `powershell.file.script_block_id`, host identifiers, user identifiers, and any on-disk script context (`file.path`, `file.name`).
 80  - Treat as a potential credential access incident and initiate environment-wide scoping for similar script content and related activity from the same user and host.
 81
 82- If Kerberos ticket theft or export is confirmed:
 83  - Remove the script source (as identified by `file.path`/`file.name`) and any related artifacts identified during triage.
 84  - Reset or rotate credentials for impacted accounts and review privileged access paths associated with the affected host and user.
 85  - Investigate for lateral movement following `@timestamp`, identify affected systems, and remediate access pathways used.
 86
 87- Post-incident hardening:
 88  - Ensure PowerShell script block logging coverage and retention support reconstruction and historical scoping.
 89  - Review administrative scripting controls and monitoring for unauthorized use of authentication-package APIs in PowerShell, and align execution permissions with least-privilege practices.
 90"""
 91references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"]
 92risk_score = 73
 93rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56"
 94setup = """## Setup
 95
 96PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
 97Setup instructions: https://ela.st/powershell-logging-setup
 98"""
 99severity = "high"
100tags = [
101    "Domain: Endpoint",
102    "OS: Windows",
103    "Use Case: Threat Detection",
104    "Tactic: Credential Access",
105    "Data Source: PowerShell Logs",
106    "Resources: Investigation Guide",
107]
108timestamp_override = "event.ingested"
109type = "query"
110
111query = '''
112event.category:process and host.os.type:windows and
113  powershell.file.script_block_text : (
114    "LsaCallAuthenticationPackage" and
115    (
116      "KerbRetrieveEncodedTicketMessage" or
117      "KerbQueryTicketCacheMessage" or
118      "KerbQueryTicketCacheExMessage" or
119      "KerbQueryTicketCacheEx2Message" or
120      "KerbRetrieveTicketMessage" or
121      "KerbDecryptDataMessage"
122    )
123  )
124'''
125
126
127[[rule.threat]]
128framework = "MITRE ATT&CK"
129[[rule.threat.technique]]
130id = "T1003"
131name = "OS Credential Dumping"
132reference = "https://attack.mitre.org/techniques/T1003/"
133
134[[rule.threat.technique]]
135id = "T1558"
136name = "Steal or Forge Kerberos Tickets"
137reference = "https://attack.mitre.org/techniques/T1558/"
138
139
140[rule.threat.tactic]
141id = "TA0006"
142name = "Credential Access"
143reference = "https://attack.mitre.org/tactics/TA0006/"
144[[rule.threat]]
145framework = "MITRE ATT&CK"
146[[rule.threat.technique]]
147id = "T1059"
148name = "Command and Scripting Interpreter"
149reference = "https://attack.mitre.org/techniques/T1059/"
150[[rule.threat.technique.subtechnique]]
151id = "T1059.001"
152name = "PowerShell"
153reference = "https://attack.mitre.org/techniques/T1059/001/"
154
155
156
157[rule.threat.tactic]
158id = "TA0002"
159name = "Execution"
160reference = "https://attack.mitre.org/tactics/TA0002/"
161
162
163[rule.investigation_fields]
164field_names = [
165    "@timestamp",
166    "user.name",
167    "user.id",
168    "user.domain",
169    "powershell.file.script_block_text",
170    "powershell.file.script_block_id",
171    "powershell.sequence",
172    "powershell.total",
173    "file.path",
174    "file.directory",
175    "file.name",
176    "process.pid",
177    "host.name",
178    "host.id",
179    "powershell.file.script_block_length"
180]