PKINIT TGT authentication request

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-11-09
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • Windows Event Collector
      OR
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Identity Analytics

Detector Tags

Active Directory Certificate Services Analytics

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.

Attacker's Goals

Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.

Investigative actions

  • Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity.
  • Inspect the Key Credentials attribute of the target account for recent modifications.
  • Review associated service tickets or lateral movement activities tied to the target account.
  • Investigate unusual certificate issuance or PKI activities.

Variations

Suspicious PKINIT TGT authentication request

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.

Attacker's Goals

Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.

Investigative actions

  • Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity.
  • Inspect the Key Credentials attribute of the target account for recent modifications.
  • Review associated service tickets or lateral movement activities tied to the target account.
  • Investigate unusual certificate issuance or PKI activities.


Abnormal PKINIT TGT authentication request

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A Kerberos TGT was requested using PKINIT. This may indicate an attack on Active Directory Certificate Services (AD CS), such as shadow credential exploitation or certificate-based authentication abuse.

Attacker's Goals

Gain unauthorized access to high-privilege accounts by abusing certificate-based authentication mechanisms.

Investigative actions

  • Verify if Windows Hello for Business (WHfB) is deployed and actively used in the environment, as it may explain the PKINIT activity.
  • Inspect the Key Credentials attribute of the target account for recent modifications.
  • Review associated service tickets or lateral movement activities tied to the target account.
  • Investigate unusual certificate issuance or PKI activities.