Version: 1.4.0

Kerberos Decode

Parse Security

Synopsis

Extracts and decodes Kerberos ticket information.

Schema

- kerberos_decode:
    field: <ident>
    target_field: <string>
    ticket_type: <string>
    extract_principals: <boolean>
    decode_times: <boolean>
    description: <text>
    if: <script>
    ignore_failure: <boolean>
    ignore_missing: <boolean>
    on_failure: <processor[]>
    on_success: <processor[]>
    tag: <string>

Configuration

The following fields are used to define the processor:

Field	Required	Default	Description
`field`	Y	-	Source field containing Kerberos ticket data
`target_field`	N	`{field}_decoded`	Target field to store decoded ticket information
`ticket_type`	N	`auto`	Ticket type: `auto`, `tgt`, `service`, `renewal`
`extract_principals`	N	`true`	Extract client and service principal names
`decode_times`	N	`true`	Decode ticket timestamps to readable format
`description`	N	-	Explanatory note
`if`	N	-	Condition to run
`ignore_failure`	N	`false`	Continue processing if decoding fails
`ignore_missing`	N	`false`	Skip processing if referenced field doesn't exist
`on_failure`	N	-	See Handling Failures
`on_success`	N	-	See Handling Success
`tag`	N	-	Identifier

Details

Decodes Kerberos ticket data to extract authentication and authorization information. The processor can handle various Kerberos ticket types including Ticket Granting Tickets (TGT) and service tickets.

The decoded output includes principal names, ticket validity periods, encryption types, and ticket flags that indicate the ticket's capabilities and restrictions.

note

Kerberos tickets contain encoded authentication information including encrypted session keys, principal names, and validity timestamps. The processor extracts the readable portions without requiring decryption keys.

When extract_principals is enabled, the processor extracts and formats client and service principal names for easy identification of the authentication parties.

warning

Kerberos ticket parsing requires properly formatted ticket data. Corrupted or truncated tickets will cause the processor to fail unless ignore_failure is set to true.

Examples

Basic Ticket Decoding

Decoding Kerberos ticket structure...

{
  "krb_ticket": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
}

- kerberos_decode:
    field: krb_ticket
    target_field: ticket_info

extracts ticket information:

{
  "krb_ticket": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ...",
  "ticket_info": {
    "ticket_type": "service",
    "client_principal": "user@DOMAIN.COM",
    "service_principal": "HTTP/server.domain.com@DOMAIN.COM",
    "realm": "DOMAIN.COM",
    "encryption_type": "aes256-cts-hmac-sha1-96",
    "ticket_flags": ["forwardable", "renewable"]
  }
}

With Time Decoding

Including ticket validity timestamps...

{
  "auth_ticket": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
}

- kerberos_decode:
    field: auth_ticket
    decode_times: true
    target_field: ticket_details

includes timestamp information:

{
  "auth_ticket": "YIIBqgYJKoZIhvcSAQI...",
  "ticket_details": {
    "client_principal": "admin@CORP.COM",
    "service_principal": "krbtgt/CORP.COM@CORP.COM",
    "auth_time": "2024-01-15T10:30:00Z",
    "start_time": "2024-01-15T10:30:00Z",
    "end_time": "2024-01-15T20:30:00Z",
    "renew_till": "2024-01-22T10:30:00Z"
  }
}

TGT Ticket Analysis

Analyzing Ticket Granting Ticket...

{
  "tgt_data": "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
}

- kerberos_decode:
    field: tgt_data
    ticket_type: tgt
    target_field: tgt_info

identifies TGT-specific information:

{
  "tgt_data": "YIIBqgYJKoZIhvcSAQI...",
  "tgt_info": {
    "ticket_type": "tgt",
    "client_principal": "jdoe@EXAMPLE.COM",
    "service_principal": "krbtgt/EXAMPLE.COM@EXAMPLE.COM",
    "is_initial": true,
    "is_renewable": true,
    "renewable_until": "2024-01-22T10:30:00Z"
  }
}

Multiple Tickets

Processing array of ticket data...

{
  "ticket_cache": [
    "YIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ...",
    "MIIBqgYJKoZIhvcSAQICAgOCAZsEggGXMIIBkwIBAQIBAQIBAQ..."
  ]
}

- kerberos_decode:
    field: ticket_cache
    target_field: decoded_tickets

decodes each ticket:

{
  "ticket_cache": [...],
  "decoded_tickets": [
    {
      "ticket_type": "tgt",
      "client_principal": "user1@DOMAIN.COM"
    },
    {
      "ticket_type": "service", 
      "service_principal": "HTTP/web.domain.com@DOMAIN.COM"
    }
  ]
}

Synopsis​

Schema​

Configuration​

Details​

Examples​

Basic Ticket Decoding​

With Time Decoding​

TGT Ticket Analysis​

Multiple Tickets​