UBA : Possible TGT PAC Forgery

The QRadar® User Behavior Analytics (UBA) app supports use cases based on rules for certain behavioral anomalies.

UBA : Possible TGT PAC Forgery

Enabled by default


Default senseValue



Detects use of Forged PAC certificate to get a Service Ticket from Kerberos TGS.

Support rules

  • BB:UBA : Common Event Filters
  • BB:UBA : TCT PAC Forgery Patched Server
  • BB:UBA : TCT PAC Forgery Unpatched Server

Required configuration

Add the appropriate values to the following reference set: "UBA : Domain Controller Administrators".

Log source types

Microsoft Windows Security Event Log (EventID: 4672, 4769)