T1558: Steal or Forge Kerberos Tickets

Search IOCs, vulnerabilities, APT…

216.73.216.226

← Back to attack patterns

T1558: Steal or Forge Kerberos Tickets

View on MITRE ATT&CK The MITRE Corporation · Published 11/02/2020 20:12 · Modified 27/03/2026 01:09

Essential information

MITRE technique ID: T1558
Confidence: 100/100
Revoked: No
Published: 11/02/2020 20:12
Modified: 27/03/2026 01:09
Author / Source: The MITRE Corporation

Aliases

T1558

Platforms

windows macos linux

Description

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access. On Windows, the built-in `klist` utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)

Kill chain phases

Kill chain	Phase
mitre-attack	credential-access

Marking (TLP)

External references

Microsoft Klist
CERT-EU Golden Ticket Protection
AdSecurity Cracking Kerberos Dec 2015
Stealthbits Detect PtT 2019
Medium Detecting Attempts to Steal Passwords from Memory
ADSecurity Detecting Forged Tickets
mitre-attack (T1558)
Microsoft Detecting Kerberoasting Feb 2018
Microsoft Kerberos Golden Ticket
ADSecurity Kerberos Ring Decoder

Related entities

Intrusion sets, malware, reports, vulnerabilities, indicators and other entities linked to this technique.

Intrusion sets (APT) (14)

RomCom uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Diplomatic Orbiter uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·

← Previous

Page / 2

13–14 of 14

RomCom uses

Family
TrickBot - S0266 uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cobalt Strike uses

Family
DWAgent uses

Family
Emotet uses

Family The MITRE Corporation Confidence 100

[Emotet](https://attack.mitre.org/software/S0367) is a modular malware variant which is primarily used as a downloader for other malware variants such as [TrickBot](https://attack.mitre.org/software/S0266) and [IcedID](https://attack.mitre.org/software/S0483). Emotet first emerged in June 2014,…

First seen 01/01/1970 · Last seen 16/11/5138 ·
NOOPDOOR uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
TSPY_TRICKLOAD uses

The MITRE Corporation Confidence 100

[TrickBot](https://attack.mitre.org/software/S0266) is a Trojan spyware program written in C++ that first emerged in September 2016 as a possible successor to [Dyre](https://attack.mitre.org/software/S0024). [TrickBot](https://attack.mitre.org/software/S0266) was developed and initially used by…

First seen 01/01/1970 · Last seen 16/11/5138 ·
Impacket uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Cuba Ransomware uses
Win.Dropper.Scar uses
SharpHound uses

Family
Endpoint-Collector uses

← Previous

Page / 5

1–12 of 50

Threat landscape — insurance related

Confidence 100 199 MITREs 11 APTs
Havoc: SharePoint with Microsoft Graph API turns into … related

18 MITREs 2 Malwares 5 Observables
Unmasking the Shadow of PoisonPlug's Obfuscator related

20 MITREs 2 Malwares 2 Observables 1 APT
U.S. Organization in China Targeted by Attackers related

10 MITREs 13 Observables 1 APT
Spot the Difference: New LODEINFO Campaign And The … related

7 CVEs 19 MITREs 4 Malwares 7 Observables 1 APT
Malicious CAPTCHA delivers Lumma and Amadey Trojans related

13 MITREs 3 Malwares 1 Observable
The New Malware Distribution Service related

13 MITREs 8 Malwares 7 Observables
Loki: a new private agent for the popular … related

8 MITREs 1 Malware 7 Observables
RHADAMANTHYS: In-Depth Analysis of a Sophisticated Stealer Targeting … related

20 MITREs 1 Malware 5 Observables
Fake Microsoft Teams for Mac delivers Atomic Stealer related

14 MITREs 1 Malware 6 Observables
Targets Ukraine's Defense Forces using SPECTR malware alongside … related

19 MITREs 1 Malware 33 Observables 1 APT

Vulnerabilities (CVE) (12)

CVE-2022-24521 KEV targets

Microsoft Windows Common Log File System (CLFS) Driver contains an unspecified vulnerability that allows for privilege escalation.

Published: 13/04/2022
Modified: 27/05/2026

CVE-2023-42793 KEV targets

9.8 Critical

JetBrains TeamCity contains an authentication bypass vulnerability that allows for remote code execution on TeamCity Server.

Attack vector: Network
Published: 04/10/2023
Modified: 29/05/2026

CVE-2023-26360 KEV targets

8.6 High

Adobe ColdFusion contains a deserialization of untrusted data vulnerability that allows for remote code execution.

Attack vector: Network
Published: 15/03/2023
Modified: 21/12/2025

CVE-2023-3519 KEV targets

9.8 Critical

Citrix NetScaler ADC and NetScaler Gateway contains a code injection vulnerability that allows for unauthenticated remote code execution.

Attack vector: Network
Published: 19/07/2023
Modified: 27/05/2026

CVE-2023-3467 targets

8.0 High

Privilege Escalation to root administrator (nsroot)

Attack vector: ADJACENT_NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2013-3900 KEV targets

5.5 Medium

A remote code execution vulnerability exists in the way that the WinVerifyTrust function handles Windows Authenticode signature verification for PE files.

Attack vector: LOCAL
Complexity: LOW
Published: 11/12/2013
Modified: 22/04/2026

CWE-347

CVE-2023-3466 targets

8.3 High

Reflected Cross-Site Scripting (XSS)

Attack vector: NETWORK
Published: 19/07/2023
Modified: 21/12/2025

CVE-2023-28461 KEV targets

9.8 Critical

Array Networks AG and vxAG ArrayOS contain a missing authentication for critical function vulnerability that allows an attacker to read local files …

Attack vector: Network
Published: 25/11/2024
Modified: 21/12/2025

CVE-2023-45727 KEV targets

7.5 High

North Grid Proself Enterprise/Standard, Gateway, and Mail Sanitize contain an improper restriction of XML External Entity (XXE) reference vulnerability, which could allow …

Attack vector: Network
Published: 03/12/2024
Modified: 21/12/2025

CVE-2025-53690 KEV targets

9.0 Critical

Sitecore Experience Manager (XM), Experience Platform (XP), Experience Commerce (XC), and Managed Cloud contain a deserialization of untrusted data vulnerability involving the …

Attack vector: Network
Published: 04/09/2025
Modified: 21/12/2025

CVE-2020-1472 KEV targets

5.5 Medium

Microsoft's Netlogon Remote Protocol (MS-NRPC) contains a privilege escalation vulnerability when an attacker establishes a vulnerable Netlogon secure channel connection to a …

Attack vector: Local
Published: 03/11/2021
Modified: 27/05/2026

CVE-2023-27997 KEV targets

9.8 Critical

Fortinet FortiOS and FortiProxy SSL-VPN contain a heap-based buffer overflow vulnerability which can allow an unauthenticated, remote attacker to execute code or …

Attack vector: Network
Published: 13/06/2023
Modified: 21/12/2025

Attack patterns (MITRE) (5)

Silver Ticket subtechnique-of

T1558.002 MITRE
T1558.004 subtechnique-of

AS-REP Roasting MITRE
Golden Ticket subtechnique-of

T1558.001 MITRE
Ccache Files subtechnique-of

MITRE
T1558.003 subtechnique-of

Kerberoasting MITRE

Campaign (1)

2025 Poland Wiper Attacks uses

Course Of Action (6)

Encrypt Sensitive Information mitigates
Audit mitigates
Privileged Account Management mitigates
Password Policies mitigates
Credential Access Protection mitigates
Active Directory Configuration mitigates

Contact About Legal notice Privacy policy Terms of use