T1558 — Steal or Forge Kerberos Tickets

Technique: T1558
Tactics: Credential Access
MISP citations: 0
KEV CVEs mapped: 3
Community rules: 5
thrunt rules: 0
Upstream: https://attack.mitre.org/techniques/T1558

MITRE description

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access. On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)

KEV CVEs mapped to this technique

Per MITRE CTID's hand-curated KEV→ATT&CK mappings — these are the actively-exploited vulnerabilities behind this technique's KEV signal.

Detection coverage

SigmaHQ community rules

Antivirus Password Dumper Detection (core)
Replay Attack Detected (core)
HackTool - Mimikatz Kirbi File Creation (core)
Uncommon Outbound Kerberos Connection (core)
Potential Unconstrained Delegation Discovery Via Get-ADComputer - ScriptBlock (core)

Signal counts reflect the current corpus snapshot: MISP citations are regex-extracted from CIRCL OSINT event text and galaxy tags; KEV mappings come from MITRE CTID; community coverage is the SigmaHQ rule inventory (core, emerging-threats, threat-hunting collections) at release r2026-04-01. Rule bodies are not mirrored — links go upstream.