PowerShell Kerberos Ticket Dump

  1[metadata]
  2creation_date = "2023/07/26"
  3integration = ["windows"]
  4maturity = "production"
  5updated_date = "2026/04/27"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Detects PowerShell script block content that references LSA Kerberos authentication-package access patterns, including
 11explicit Kerberos ticket message types or dynamic Kerberos package lookup. These patterns are consistent with tooling
 12that enumerates, retrieves, or exports Kerberos tickets from memory for credential reuse or lateral movement.
 13"""
 14from = "now-9m"
 15index = ["logs-windows.powershell*", "winlogbeat-*"]
 16language = "kuery"
 17license = "Elastic License v2"
 18name = "PowerShell Kerberos Ticket Dump"
 19references = ["https://github.com/MzHmO/PowershellKerberos/blob/main/dumper.ps1"]
 20risk_score = 73
 21rule_id = "fddff193-48a3-484d-8d35-90bb3d323a56"
 22severity = "high"
 23tags = [
 24    "Domain: Endpoint",
 25    "OS: Windows",
 26    "Use Case: Threat Detection",
 27    "Tactic: Credential Access",
 28    "Data Source: PowerShell Logs",
 29    "Resources: Investigation Guide",
 30]
 31timestamp_override = "event.ingested"
 32type = "query"
 33
 34query = '''
 35event.category:process and host.os.type:windows and
 36  powershell.file.script_block_text : (
 37    "LsaCallAuthenticationPackage" and
 38    (
 39      "KerbRetrieveEncodedTicketMessage" or
 40      "KerbQueryTicketCacheMessage" or
 41      "KerbQueryTicketCacheExMessage" or
 42      "KerbQueryTicketCacheEx2Message" or
 43      "KerbRetrieveTicketMessage" or
 44      "KerbDecryptDataMessage" or
 45      ("LsaLookupAuthenticationPackage" and "kerberos" and "KERB_RETRIEVE_TKT_REQUEST")
 46    )
 47  )
 48'''
 49
 50note = """## Triage and analysis
 51
 52### Investigating PowerShell Kerberos Ticket Dump
 53
 54#### Possible investigation steps
 55
 56- What does the reconstructed script block attempt to do with Kerberos tickets?
 57  - Why: PowerShell Script Block Logging can split one script across events; interpretation before reconstruction can miss export, helper, or cleanup logic.
 58  - Focus: recover fragments on the same `host.id` with `powershell.file.script_block_id`, order by `powershell.sequence` of `powershell.total`, then read reconstructed `powershell.file.script_block_text`. $investigate_2
 59  - Implication: escalate when the full script retrieves, decrypts, serializes, or outputs tickets through explicit Kerberos message types, dynamic Kerberos package lookup, "LsaCallAuthenticationPackage", "ExtractTicket", or "Ticketb64"; lower concern only when reconstruction stays query-only, fits a recognized diagnostic or declared test, and shows no export or follow-on logic.
 60
 61- Does the reconstructed script try to gain SYSTEM or enumerate other logon sessions?
 62  - Focus: reconstructed `powershell.file.script_block_text`, checking for "Invoke-AsSystem", token duplication or impersonation calls, LSA registration/connect calls, "LsaEnumerateLogonSessions", and "GetLogonSessionData".
 63  - Implication: escalate when the script attempts SYSTEM impersonation, LSA registration, or multi-session enumeration because ticket access may extend beyond the alerting user; current-session cache queries remain suspicious but carry less scope impact when no retrieval/export evidence appears.
 64
 65- Can endpoint process telemetry explain how this PowerShell instance was launched?
 66  - Focus: recover the matching process via `host.id` and `process.pid` before interpreting lineage; review `process.entity_id`, `process.command_line`, `process.parent.command_line`, `process.Ext.token.integrity_level_name`, and `process.Ext.authentication_id`. $investigate_3
 67  - Hint: If no process start event is found, expand the window because PowerShell can predate the script block; if still absent, keep launch, process-scoped file review, and auth-bridge context unresolved.
 68  - Implication: escalate when the recovered launch shows encoded commands, remote-admin launchers, Office or browser parents, unexpected elevation, or SYSTEM-adjacent execution; missing endpoint process telemetry leaves launch chain, process-scoped file review, and auth-bridge context unresolved, not benign.
 69
 70- Do the script source or output artifacts show ticket material was staged or exported?
 71  - Focus: source `file.path` and `file.name`, plus file activity for `host.id`, `process.pid`, and recovered `process.entity_id` when available. Look for ".kirbi", ticket text output, archives, temp/user-writable paths, or cleanup. $investigate_4
 72  - Implication: escalate when file evidence confirms exported tickets, archives, staging, or cleanup; if source path is absent or file telemetry is missing but reconstruction emits "Ticketb64" or ticket objects, treat the case as unresolved high concern rather than benign.
 73
 74- Do authentication events explain the PowerShell session or show follow-on credential use?
 75  - Focus: same-host/user Windows Security events for `event.code` 4624, 4625, or 4648; review `source.ip`, `winlog.event_data.AuthenticationPackageName`, and `winlog.logon.type` where present. $investigate_5
 76  - Hint: After process recovery, search backward from the recovered process `@timestamp`, bridge `process.Ext.authentication_id` to `winlog.event_data.TargetLogonId`, and search 4648 on `winlog.event_data.SubjectLogonId` for explicit-credential targets.
 77  - Implication: escalate when session origin, authentication package, logon type, explicit-credential target, or later remote or privileged logons conflict with the expected diagnostic or test workflow. Missing authentication telemetry is unresolved, not benign.
 78
 79- If local evidence remains suspicious or incomplete, do related alerts widen user or host scope?
 80  - Focus: related alerts for `user.id` showing credential access, execution, or lateral movement. $investigate_0
 81  - Hint: compare `host.id` alerts only after local script, launch, artifact, and authentication review. $investigate_1
 82  - Implication: broaden containment and hunting when either view shows connected credential access, delivery, persistence, or lateral movement; quiet related alerts keep scope local only when the local evidence also supports a recognized workflow.
 83
 84- Escalate when script, SYSTEM or multi-session behavior, launch, artifacts, authentication, or related alerts show unauthorized ticket retrieval or follow-on credential use; close only when reconstruction and recovery bind one exact benign diagnostic, red-team, or lab workflow and outside confirmation covers gaps; preserve and escalate when evidence is mixed, incomplete, or dependent telemetry is missing.
 85
 86### False positive analysis
 87
 88- Kerberos diagnostics, identity troubleshooting, red-team, or lab validation can trigger this rule when reconstruction is query-oriented or scoped to an authorized test. Confirm no unexplained SYSTEM impersonation, multi-session enumeration, "Ticketb64" output, export paths, or cleanup; `user.id`, `host.id`, and any `file.path` or `file.name` align with the declared workflow; launch and authentication recovery do not contradict it. Record first-time verified-benign activity, but wait for stable recurrence before exceptioning.
 89- Ticket retrieval, decryption, or base64 ticket output is an operational anti-pattern outside confirmed testing. Do not close on a Kerberos troubleshooting claim when reconstruction or follow-on evidence shows export, reuse, or unexplained privilege/session expansion.
 90- Build exceptions from the minimum confirmed pattern: `user.id`, `host.id`, stable `file.path` or `file.name`, declared test or diagnostic scope, and recovered launch context when available. Avoid exceptions on Kerberos API strings, `user.name`, `host.name`, or `host.id` alone.
 91
 92### Response and remediation
 93
 94- If confirmed benign, reverse any temporary containment and document the exact workflow evidence: reconstructed `powershell.file.script_block_text`, fragment identifiers, `user.id`, `host.id`, source `file.path` or `file.name`, recovered launch context when available, and bounded authentication evidence. Create an exception only after the same pattern recurs without contradictory export or reuse evidence.
 95- If suspicious but unconfirmed, preserve the reconstructed script, `powershell.file.script_block_id`, `powershell.sequence`, `powershell.total`, SYSTEM or multi-session indicators, source and output artifacts, recovered launch details when available, and authentication evidence such as `winlog.event_data.TargetLogonId` and `source.ip`. Apply reversible containment first, such as heightened monitoring or temporary account/session restrictions, and isolate the host only if ticket export, reuse, or privileged session creation appears.
 96- If confirmed malicious, preserve the artifact set before destructive actions, then isolate the host with endpoint response or escalate to the team that can contain it. Contain affected accounts after recording evidence for the identities and sessions involved.
 97- If ticket retrieval or reuse is confirmed, purge tickets on affected hosts, reset impacted credentials, and prioritize privileged, service, and delegation-capable accounts. Consider domain-wide Kerberos actions only with identity-team approval and evidence of broader TGT or KRBTGT exposure.
 98- Eradicate only the unauthorized scripts, exported tickets, archives, persistence mechanisms, and delivery artifacts identified during the investigation, then remediate the entry path.
 99- After containment, hunt for the same reconstructed script fragments, "Ticketb64" output patterns, related file artifacts, and post-alert authentication patterns across other hosts.
100"""
101
102setup = """## Setup
103
104PowerShell Script Block Logging must be enabled to generate the events used by this rule (e.g., 4104).
105Setup instructions: https://ela.st/powershell-logging-setup
106"""
107
108[rule.investigation_fields]
109field_names = [
110    "@timestamp",
111    "user.name",
112    "user.id",
113    "user.domain",
114    "powershell.file.script_block_text",
115    "powershell.file.script_block_id",
116    "powershell.sequence",
117    "powershell.total",
118    "file.path",
119    "file.directory",
120    "file.name",
121    "process.pid",
122    "host.name",
123    "host.id",
124    "powershell.file.script_block_length"
125]
126
127[transform]
128
129[[transform.investigate]]
130label = "Alerts associated with the user"
131description = ""
132providers = [
133  [
134    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
135    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" }
136  ]
137]
138relativeFrom = "now-48h/h"
139relativeTo = "now"
140
141[[transform.investigate]]
142label = "Alerts associated with the host"
143description = ""
144providers = [
145  [
146    { excluded = false, field = "event.kind", queryType = "phrase", value = "signal", valueType = "string" },
147    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
148  ]
149]
150relativeFrom = "now-48h/h"
151relativeTo = "now"
152
153[[transform.investigate]]
154label = "Script block fragments for the same script"
155description = ""
156providers = [
157  [
158    { excluded = false, field = "powershell.file.script_block_id", queryType = "phrase", value = "{{powershell.file.script_block_id}}", valueType = "string" },
159    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" }
160  ]
161]
162relativeFrom = "now-1h"
163relativeTo = "now"
164
165[[transform.investigate]]
166label = "Process events for the PowerShell instance"
167description = ""
168providers = [
169  [
170    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
171    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
172    { excluded = false, field = "event.category", queryType = "phrase", value = "process", valueType = "string" }
173  ]
174]
175relativeFrom = "now-1h"
176relativeTo = "now"
177
178[[transform.investigate]]
179label = "File events for the PowerShell process"
180description = ""
181providers = [
182  [
183    { excluded = false, field = "process.pid", queryType = "phrase", value = "{{process.pid}}", valueType = "string" },
184    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
185    { excluded = false, field = "event.category", queryType = "phrase", value = "file", valueType = "string" }
186  ]
187]
188relativeFrom = "now-1h"
189relativeTo = "now"
190
191[[transform.investigate]]
192label = "Windows Security authentication events for the user"
193description = ""
194providers = [
195  [
196    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
197    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" },
198    { excluded = false, field = "event.code", queryType = "phrase", value = "4624", valueType = "string" }
199  ],
200  [
201    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
202    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" },
203    { excluded = false, field = "event.code", queryType = "phrase", value = "4625", valueType = "string" }
204  ],
205  [
206    { excluded = false, field = "host.id", queryType = "phrase", value = "{{host.id}}", valueType = "string" },
207    { excluded = false, field = "user.id", queryType = "phrase", value = "{{user.id}}", valueType = "string" },
208    { excluded = false, field = "event.code", queryType = "phrase", value = "4648", valueType = "string" }
209  ]
210]
211relativeFrom = "now-24h"
212relativeTo = "now"
213
214[[rule.threat]]
215framework = "MITRE ATT&CK"
216
217[[rule.threat.technique]]
218id = "T1003"
219name = "OS Credential Dumping"
220reference = "https://attack.mitre.org/techniques/T1003/"
221
222[[rule.threat.technique.subtechnique]]
223id = "T1003.001"
224name = "LSASS Memory"
225reference = "https://attack.mitre.org/techniques/T1003/001/"
226
227[[rule.threat.technique]]
228id = "T1558"
229name = "Steal or Forge Kerberos Tickets"
230reference = "https://attack.mitre.org/techniques/T1558/"
231
232[rule.threat.tactic]
233id = "TA0006"
234name = "Credential Access"
235reference = "https://attack.mitre.org/tactics/TA0006/"
236
237[[rule.threat]]
238framework = "MITRE ATT&CK"
239
240[[rule.threat.technique]]
241id = "T1059"
242name = "Command and Scripting Interpreter"
243reference = "https://attack.mitre.org/techniques/T1059/"
244
245[[rule.threat.technique.subtechnique]]
246id = "T1059.001"
247name = "PowerShell"
248reference = "https://attack.mitre.org/techniques/T1059/001/"
249
250[[rule.threat.technique]]
251id = "T1106"
252name = "Native API"
253reference = "https://attack.mitre.org/techniques/T1106/"
254
255[rule.threat.tactic]
256id = "TA0002"
257name = "Execution"
258reference = "https://attack.mitre.org/tactics/TA0002/"