Request A Single Ticket via PowerShell
utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer. This behavior is typically used during a kerberos or silver ticket attack. A successful execution will output the SPNs for the endpoint in question.
Sigma rule (View on GitHub)
1title: Request A Single Ticket via PowerShell
2id: a861d835-af37-4930-bcd6-5b178bfb54df
3status: test
4description: |
5 utilize native PowerShell Identity modules to query the domain to extract the Service Principal Names for a single computer.
6 This behavior is typically used during a kerberos or silver ticket attack.
7 A successful execution will output the SPNs for the endpoint in question.
8references:
9 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
10author: frack113
11date: 2021-12-28
12tags:
13 - attack.credential-access
14 - attack.t1558.003
15logsource:
16 product: windows
17 category: ps_script
18 definition: 'Requirements: Script Block Logging must be enabled'
19detection:
20 selection:
21 ScriptBlockText|contains: System.IdentityModel.Tokens.KerberosRequestorSecurityToken
22 condition: selection
23falsepositives:
24 - Unknown
25level: high
References
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More
Related rules
- HackTool - KrbRelay Execution
- HackTool - KrbRelayUp Execution
- HackTool - RemoteKrbRelay Execution
- HackTool - Rubeus Execution
- HackTool - Rubeus Execution - ScriptBlock