T1558: Steal or Forge Kerberos Tickets
Essential information
- MITRE technique ID
T1558- Confidence
- 100/100
- Revoked
- No
- Published
- 11/02/2020 20:12
- Modified
- 27/03/2026 01:09
- Author / Source
- The MITRE Corporation
Aliases
T1558
Platforms
windows macos linux
Description
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in `klist` utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
Kill chain phases
| Kill chain | Phase |
|---|---|
| mitre-attack | credential-access |
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- Microsoft Klist
- CERT-EU Golden Ticket Protection
- AdSecurity Cracking Kerberos Dec 2015
- Stealthbits Detect PtT 2019
- Medium Detecting Attempts to Steal Passwords from Memory
- ADSecurity Detecting Forged Tickets
- mitre-attack (T1558)
- Microsoft Detecting Kerberoasting Feb 2018
- Microsoft Kerberos Golden Ticket
- ADSecurity Kerberos Ring Decoder