T1558Credential Access

Steal or Forge Kerberos Tickets

Kerberoasting, Golden/Silver tickets, AS-REP roasting.

§ Where this technique fits

T1558 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 2 approved dossiers in the registry, typically at step 4.5 on average.

Authoritative reference: attack.mitre.org/techniques/T1558/.

§ Dossiers chaining this technique

noPac / sAMAccountName spoofing → Domain Admin
Combine CVE-2021-42278 (sAMAccountName validation) and CVE-2021-42287 (PAC confusion) to impersonate a DC as a low-priv user.
step 4 / 7
Cross-trust attack: child → parent forest via SID History
Forge an inter-realm TGT using a child domain's krbtgt and inject Enterprise Admins SID into SID History to traverse a non-quarantined trust.
step 5 / 6

§ What commonly comes next

01
DCSync
T1003.006 · Credential Access
seen 1×
02
sAMAccountName Spoofing — noPac (CVE-2021-42278/42287)
AD-NOPAC · Privilege Escalation
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

noPac / sAMAccountName spoofing → Domain Admin

Cross-trust attack: child → parent forest via SID History

§ What commonly comes next