The rule ‘Kerberos Manipulation’ is designed to detect abnormal behavior related to the Kerberos Ticket Granting Ticket (TGT) process on Windows systems. Specifically, it identifies failed TGT requests that could indicate potential tampering or manipulation by an attacker attempting to exploit the Kerberos authentication protocol. The detection is triggered by monitoring for specific event IDs associated with Kerberos authentication failures, namely: 675 (Pre-authentication failed), 4768 (A Kerberos authentication ticket (TGT) was requested), 4769 (A Kerberos service ticket was requested), and 4771 (Kerberos pre-authentication failed). The rule examines the status values returned by these events for specific codes that indicate failure, including but not limited to: 0x9 (Invalid credentials), 0xA (Password expired), and several others that point toward not just user issues, but possible attacks focused on gaining unauthorized access or credentials within the environment. The analysis of these events can help security teams quickly identify and respond to unauthorized attempts to manipulate Kerberos tickets, thereby improving security posture against credential-access-related threats.