DET0522: Detect Kerberos Ticket Theft or Forgery (T1558)
DET0522 is a MITRE detection strategy for behavior related to T1558, Steal or Forge Kerberos Tickets. The business significance is identity trust: if Kerbe...
Analyst context for executives and security teams
DET0522 is a MITRE detection strategy for behavior related to T1558, Steal or Forge Kerberos Tickets. The business significance is identity trust: if Kerberos tickets are stolen or forged, an adversary may authenticate to services without using normal password-based access paths. For leaders, this makes Kerberos visibility a core Active Directory and enterprise identity control issue, not just a SOC alerting problem.
Executive priority
Prioritize this as an identity resilience and incident-readiness question: can the organization prove it can observe suspicious Kerberos ticket use across the environments where Kerberos is used, especially Windows domain environments noted by ATT&CK? Because the supplied detection strategy has no official detection text or platform detail, executives should ask whether coverage is documented through local telemetry, detection engineering tests, and incident response playbooks rather than assuming ATT&CK naming equals operational coverage.
Technical view
The object itself provides no official detection logic, but it detects T1558, a credential-access technique involving stolen or forged Kerberos tickets used to enable Pass the Ticket. SOC and IR teams should validate visibility around Kerberos authentication flows involving clients, services, and the Key Distribution Center. Because the related technique lists Linux, macOS, and Windows platforms while the detection strategy platform is not specified, detection engineering should explicitly map which Kerberos-relevant logs exist per platform and where gaps remain.
Likely telemetry
- Kerberos authentication and ticket activity from Key Distribution Center or domain controller infrastructure
- Service authentication records showing Kerberos-based access to protected services
- Endpoint authentication logs from systems participating in Kerberos realms, including Windows and, where applicable, Linux or macOS systems
- Identity directory and account context needed to interpret ticket use against expected users, services, and hosts
- SOC correlation data linking Kerberos activity with subsequent service access or Pass the Ticket-related authentication behavior
Detection direction
- Do not treat DET0522 as ready-to-deploy logic; the supplied ATT&CK object contains no official detection text.
- Validate that Kerberos ticket request, validation, and service access evidence is actually collected and retained from the KDC/domain controller layer and relevant endpoints.
- Tune analytics around deviations from expected client, service, account, and host relationships rather than isolated Kerberos events, which can be high volume and business-normal.
- Account for blind spots where non-Windows systems participate in Kerberos but do not forward comparable authentication telemetry.
- Use the relationship to T1558 to connect detections with credential-access triage and Pass the Ticket investigation workflows.
Mitigation priorities
- First, inventory where Kerberos is used and which systems provide authoritative authentication telemetry.
- Next, ensure SOC collection and retention cover KDC/domain controller activity and service authentication records needed for investigation.
- Then, review identity hygiene and access governance for accounts and services whose ticket misuse would create material business risk.
- Finally, test incident response procedures for suspected Kerberos ticket theft or forgery, including evidence preservation and identity containment decisions.
Analyst notes and limits
This take is intentionally conservative because the detection strategy object has no official description, detection text, tactics, or platforms. The strongest supported context comes from its relationship to T1558, Steal or Forge Kerberos Tickets, which is a credential-access technique associated with Linux, macOS, and Windows and Kerberos authentication realms.
Local architecture determines practical coverage. ATT&CK does not provide the specific log sources, detection analytics, event identifiers, thresholds, or mitigations for DET0522 in the supplied fields, so organizations must validate telemetry and control effectiveness in their own Kerberos environment.
Detect Kerberos Ticket Theft or Forgery (T1558)
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1558 | Steal or Forge Kerberos Tickets | This object detects Steal or Forge Kerberos Tickets. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d3e220aefd76… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0522Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.