T1558: Steal or Forge Kerberos Tickets
Essential information
- MITRE technique ID
T1558- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 20:12
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
T1558
Platforms
windows macos linux
Description
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Microsoft Klist
- CERT-EU Golden Ticket Protection
- AdSecurity Cracking Kerberos Dec 2015
- Stealthbits Detect PtT 2019
- Medium Detecting Attempts to Steal Passwords from Memory
- ADSecurity Detecting Forged Tickets
- mitre-attack (T1558)
- Microsoft Detecting Kerberoasting Feb 2018
- Microsoft Kerberos Golden Ticket
- ADSecurity Kerberos Ring Decoder
Related entities
Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.
Intrusion sets (APT) (14)
-
UAC-0020 (Vermin) usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
EXOTIC LILY usesThe MITRE Corporation Confidence 100
[EXOTIC LILY](https://attack.mitre.org/groups/G1011) is a financially motivated group that has been closely linked with [Wizard Spider](https://attack.mitre.org/groups/G0102) and the deployment of ransomware including [Conti](https://attack.mitre.org/software/S0575) and [Diavol](https://attack.mitre.org/software/S0659). [EXOTIC LILY](https://attack.mitre.org/groups/G1011) may be…
First seen 01/01/1970 · Last seen 16/11/5138 · -
The MITRE Corporation Confidence 100
[Wizard Spider](https://attack.mitre.org/groups/G0102) is a Russia-based financially motivated threat group originally known for the creation and deployment of [TrickBot](https://attack.mitre.org/software/S0266) since at least 2016. [Wizard Spider](https://attack.mitre.org/groups/G0102) possesses a diverse arsenal…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Earth Kasha usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
[APT41](https://attack.mitre.org/groups/G0096) is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, [APT41](https://attack.mitre.org/groups/G0096) has been observed…
First seen 01/01/1970 · Last seen 16/11/5138 · -
UAT-8837 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UNC6040, UNC6240 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
ALPHV Blackcat usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Sharp Project usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
The MITRE Corporation Confidence 100
The Akira ransomware group is said to have emerged in March 2023, and there's much speculation about its ties to the former CONTI ransomware group.<br> <br> It's worth…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Conti usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
Malware (50)
-
RomCom usesFamily
-
TrickBot - S0266 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cobalt Strike usesFamily
-
DWAgent usesFamily
-
Emotet usesFamily The MITRE Corporation Confidence 100
[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014,…
First seen 01/01/1970 · Last seen 16/11/5138 · -
NOOPDOOR usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
TSPY_TRICKLOAD usesThe MITRE Corporation Confidence 100
[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…
First seen 01/01/1970 · Last seen 16/11/5138 · -
Impacket usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
Cuba Ransomware uses
-
Win.Dropper.Scar uses
-
SharpHound usesFamily
-
Endpoint-Collector uses
Reports (11)
-
Threat landscape — insurance relatedConfidence 100 199 MITREs 11 APTs
-
18 MITREs 2 Malwares 5 Observables
-
20 MITREs 2 Malwares 2 Observables 1 APT
-
10 MITREs 13 Observables 1 APT
-
7 CVEs 19 MITREs 4 Malwares 7 Observables 1 APT
-
13 MITREs 3 Malwares 1 Observable
-
13 MITREs 8 Malwares 7 Observables
-
8 MITREs 1 Malware 7 Observables
-
20 MITREs 1 Malware 5 Observables
-
14 MITREs 1 Malware 6 Observables
-
19 MITREs 1 Malware 33 Observables 1 APT
Vulnerabilities (CVE) (12)
Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.
- Published
- 13/04/2022
- Modified
- 27/05/2026
JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.
- Attack vector
- Network
- Published
- 04/10/2023
- Modified
- 29/05/2026
Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.
- Attack vector
- Network
- Published
- 15/03/2023
- Modified
- 21/12/2025
Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.
- Attack vector
- Network
- Published
- 19/07/2023
- Modified
- 27/05/2026
Privilege Escalation to root administrator (nsroot)
- Attack vector
- ADJACENT_NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.
- Attack vector
- LOCAL
- Complexity
- LOW
- Published
- 11/12/2013
- Modified
- 22/04/2026
Reflected Cross-Site Scripting (XSS)
- Attack vector
- NETWORK
- Published
- 19/07/2023
- Modified
- 21/12/2025
Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files …
- Attack vector
- Network
- Published
- 25/11/2024
- Modified
- 21/12/2025
North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow …
- Attack vector
- Network
- Published
- 03/12/2024
- Modified
- 21/12/2025
Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …
- Attack vector
- Network
- Published
- 04/09/2025
- Modified
- 21/12/2025
Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …
- Attack vector
- Local
- Published
- 03/11/2021
- Modified
- 27/05/2026
Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …
- Attack vector
- Network
- Published
- 13/06/2023
- Modified
- 21/12/2025
Attack patterns (MITRE) (5)
-
Silver Ticket subtechnique-ofT1558.002 MITRE
-
T1558.004 subtechnique-ofAS-REP Roasting MITRE
-
Golden Ticket subtechnique-ofT1558.001 MITRE
-
Ccache Files subtechnique-of
-
T1558.003 subtechnique-ofKerberoasting MITRE
Campaign (1)
-
2025 Poland Wiper Attacks uses
Course Of Action (6)
-
Encrypt Sensitive Information mitigates
-
Audit mitigates
-
Privileged Account Management mitigates
-
Password Policies mitigates
-
Credential Access Protection mitigates
-
Active Directory Configuration mitigates