Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0241: Detect Forged Kerberos Silver Tickets (T1558.002)

DET0241 is a MITRE detection strategy for forged Kerberos Silver Tickets tied to ATT&CK technique T1558.002. The business significance is that a compromise...

EnterpriseDET0241Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0241 is a MITRE detection strategy for forged Kerberos Silver Tickets tied to ATT&CK technique T1558.002. The business significance is that a compromised service account hash can let an adversary create service tickets for a specific resource, such as a database or application service, without needing broad domain-wide control. That makes this behavior important for protecting critical Windows-hosted services, privileged service accounts, and incident response decisions around whether access to a business application can still be trusted.

Executive priority

Prioritize this as an identity and resilience issue for Windows services that support critical operations. Leaders should ask whether high-value service accounts are inventoried, monitored, protected, and rapidly recoverable if compromise is suspected. Because the supplied ATT&CK object has no official detection text, organizations should not assume coverage from the detection strategy name alone; they should require evidence that Kerberos service-ticket activity and service account usage are visible to the SOC and usable during audits or incident response.

Technical view

The detection strategy has no official detection details or platform field, but its relationship detects Silver Ticket, a Windows credential-access technique involving forged Kerberos ticket granting service tickets for a target service. SOC and detection teams should validate whether they can correlate Kerberos service-ticket activity, service account authentication, and access to the specific resources those accounts protect. IR teams should be prepared to scope by affected service account, hosted resource, and systems accepting the ticket, rather than treating this only as a domain-wide Kerberos issue.

Likely telemetry

  • Windows security authentication logs related to Kerberos service-ticket activity
  • Service account logon and resource access records
  • Logs from the target service or application, such as database, collaboration, or other Windows-hosted service access logs
  • Domain controller Kerberos-related event data where collected
  • Asset and identity inventory mapping service accounts to the services and hosts they protect

Detection direction

  • Validate that Kerberos service-ticket events are collected and retained long enough to support investigation of suspected forged service tickets.
  • Tune detections around service account use against expected hosts, services, and access patterns; false positives may arise from legitimate service-to-service authentication.
  • Correlate identity telemetry with resource access logs, because the related behavior is scoped to a particular service rather than necessarily broad domain activity.
  • Check for blind spots where service accounts, service principal names, or critical Windows-hosted services are not inventoried or not monitored.
  • Because MITRE supplied no official detection logic for this object, treat DET0241 as a coverage requirement to operationalize locally, not as a complete analytic.

Mitigation priorities

  • Inventory service accounts and map them to the resources they protect, prioritizing business-critical Windows services.
  • Limit service account privileges to the minimum required and reduce unnecessary reuse across services.
  • Protect service account credentials and rotate them when compromise is suspected or as part of response to Silver Ticket risk.
  • Ensure Kerberos and Windows authentication logs are enabled, centralized, and reviewable by SOC and IR teams.
  • Use tabletop or validation exercises to confirm the organization can identify the affected service, account, and host during a suspected Silver Ticket incident.
Analyst notes and limits

The strongest relationship context is to ATT&CK T1558.002 Silver Ticket under credential access on Windows. This take emphasizes identity monitoring, service account governance, and resource-level scoping because Silver Tickets are described as enabling access to a particular resource and its host rather than automatically implying full-domain compromise.

The supplied detection strategy has no official description, no official detection text, no tactics, and no platforms specified. Recommendations are derived conservatively from the related Silver Ticket technique fields and require local validation against the organization’s Kerberos, Windows, service account, and application logging reality.

Official MITRE ATT&CK definition

Detect Forged Kerberos Silver Tickets (T1558.002)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1558.002 Silver Ticket Sub-technique This object detects Silver Ticket.
Relationship explorer

All related ATT&CK context

detects · Technique T1558.002: Silver Ticket Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
dcb76971a9fd0469...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle dcb76971a9fd…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0241
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use