kqlElastic-2.0from elastic/detection-rules

PowerShell Kerberos Ticket Dump

Quality

FP risk

—

Forks

Views

ATT&CK techniques

T1003 T1003.001 T1558 T1059 T1059.001 T1106

Rule sourcerules/windows/credential_access_posh_kerb_ticket_dump.toml

event.category:process and host.os.type:windows and
  powershell.file.script_block_text : (
    "LsaCallAuthenticationPackage" and
    (
      "KerbRetrieveEncodedTicketMessage" or
      "KerbQueryTicketCacheMessage" or
      "KerbQueryTicketCacheExMessage" or
      "KerbQueryTicketCacheEx2Message" or
      "KerbRetrieveTicketMessage" or
      "KerbDecryptDataMessage"
    )
  )