Suspicious Kerberos Ticket Request via CLI
Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class. Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse techniques like silver ticket attacks.
Sigma rule (View on GitHub)
1title: Suspicious Kerberos Ticket Request via CLI
2id: caa9a802-8bd8-4b9e-a5cd-4d6221670219
3related:
4 - id: a861d835-af37-4930-bcd6-5b178bfb54df
5 type: similar
6status: experimental
7description: |
8 Detects suspicious Kerberos ticket requests via command line using System.IdentityModel.Tokens.KerberosRequestorSecurityToken class.
9 Threat actors may use command line interfaces to request Kerberos tickets for service accounts in order to
10 perform offline password cracking attacks commonly known as Kerberoasting or other Kerberos ticket abuse
11 techniques like silver ticket attacks.
12references:
13 - https://www.huntress.com/blog/gootloader-threat-detection-woff2-obfuscation
14 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1558.003/T1558.003.md#atomic-test-4---request-a-single-ticket-via-powershell
15 - https://learn.microsoft.com/en-us/dotnet/api/system.identitymodel.tokens.kerberosrequestorsecuritytoken?view=netframework-4.8.1
16author: Swachchhanda Shrawan Poudel (Nextron Systems)
17date: 2025-11-18
18tags:
19 - attack.credential-access
20 - attack.t1558.003
21logsource:
22 category: process_creation
23 product: windows
24detection:
25 selection_img:
26 - Image|endswith:
27 - '\powershell.exe'
28 - '\pwsh.exe'
29 - OriginalFileName:
30 - 'powershell.exe'
31 - 'pwsh.dll'
32 selection_cli:
33 CommandLine|contains|all:
34 - 'System.IdentityModel.Tokens.KerberosRequestorSecurityToken'
35 - '.GetRequest()'
36 condition: all of selection_*
37falsepositives:
38 - Legitimate command line usage by administrators or security tools.
39level: high
References
-
Gootloader returns with new obfuscation techniques, including custom WOFF2 fonts and updated persistence mechanisms, while continuing its partnership with Vanilla Tempest for ransomware deployment. Dive in and discover what Huntress is seeing.
Read More -
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Represents a security token that is based upon a Kerberos ticket that is sent in an SOAP request.
Read More
Related rules
- Suspicious Kerberos Ticket Request via PowerShell Script - ScriptBlock
- Potential CVE-2021-42287 Exploitation Attempt
- Kerberoasting Activity - Initial Query
- HackTool - KrbRelayUp Execution
- HackTool - Rubeus Execution