Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock

calendar Nov 23, 2025 · attack.credential-access attack.t1558.003  ·
Share on: linkedin copy

Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets. This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.

Sigma rule (View on GitHub)

 1title: Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
 2id: a861d835-af37-4930-bcd6-5b178bfb54df
 3related:
 4    - id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
 5      type: similar
 6status: test
 7description: |
 8    Detects PowerShell scripts that utilize native PowerShell Identity modules to request Kerberos tickets.
 9    This behavior is typically seen during a Kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.    
10references:
11    - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
12    - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
13author: frack113
14date: 2021-12-28
15modified: 2025-11-18
16tags:
17    - attack.credential-access
18    - attack.t1558.003
19logsource:
20    product: windows
21    category: ps_script
22    definition: 'Requirements: Script Block Logging must be enabled'
23detection:
24    selection:
25        ScriptBlockText|contains|all:
26            - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
27            - '.GetRequest()'
28    condition: selection
29falsepositives:
30    - Unknown
31level: high

References

Related rules

to-top