PowerShell Kerberos Ticket Dump
Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an attacker's attempt to acquire credentials for lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2023/07/26"
3integration = ["windows"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/10/23"
8
9[rule]
10author = ["Elastic"]
11description = """
12Detects PowerShell scripts that have the capability of dumping Kerberos tickets from LSA, which potentially indicates an
13attacker's attempt to acquire credentials for lateral movement.
14"""
15from = "now-9m"
16index = ["winlogbeat-*", "logs-windows.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "PowerShell Kerberos Ticket Dump"
20references = [
21 "https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1",
22]
23risk_score = 47
24rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56"
25setup = """
26
27The 'PowerShell Script Block Logging' logging policy must be enabled.
28Steps to implement the logging policy with Advanced Audit Configuration:
Computer Configuration > Administrative Templates > Windows PowerShell > Turn on PowerShell Script Block Logging (Enable)
1
2Steps to implement the logging policy via registry:
reg add "hklm\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" /v EnableScriptBlockLogging /t REG_DWORD /d 1
1"""
2severity = "medium"
3tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: PowerShell Logs"]
4timestamp_override = "event.ingested"
5type = "query"
6
7query = '''
8event.category:process and host.os.type:windows and
9 powershell.file.script_block_text : (
10 "LsaCallAuthenticationPackage" and
11 (
12 "KerbRetrieveEncodedTicketMessage" or
13 "KerbQueryTicketCacheMessage" or
14 "KerbQueryTicketCacheExMessage" or
15 "KerbQueryTicketCacheEx2Message" or
16 "KerbRetrieveTicketMessage" or
17 "KerbDecryptDataMessage"
18 )
19 )
20'''
21
22
23[[rule.threat]]
24framework = "MITRE ATT&CK"
25[[rule.threat.technique]]
26id = "T1003"
27name = "OS Credential Dumping"
28reference = "https://attack.mitre.org/techniques/T1003/"
29
30[[rule.threat.technique]]
31id = "T1558"
32name = "Steal or Forge Kerberos Tickets"
33reference = "https://attack.mitre.org/techniques/T1558/"
34
35
36
37[rule.threat.tactic]
38id = "TA0006"
39name = "Credential Access"
40reference = "https://attack.mitre.org/tactics/TA0006/"
41[[rule.threat]]
42framework = "MITRE ATT&CK"
43[[rule.threat.technique]]
44id = "T1059"
45name = "Command and Scripting Interpreter"
46reference = "https://attack.mitre.org/techniques/T1059/"
47[[rule.threat.technique.subtechnique]]
48id = "T1059.001"
49name = "PowerShell"
50reference = "https://attack.mitre.org/techniques/T1059/001/"
51
52
53
54[rule.threat.tactic]
55id = "TA0002"
56name = "Execution"
57reference = "https://attack.mitre.org/tactics/TA0002/"
References
Related rules
- Potential Invoke-Mimikatz PowerShell Script
- PowerShell Kerberos Ticket Request
- PowerShell MiniDump Script
- PowerShell Invoke-NinjaCopy script
- Access to a Sensitive LDAP Attribute