Dark Mode

Settings

Capec-652 Detail

Use of Known Kerberos Credentials

Standard Software Likelihood: Medium Typical Severity: High

Parents: 560

Children: 509 645

Threats: T71 T75 T279 T283 T385 T388 T398 T402

Description

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

Extended Description

Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.
External ID Source Link Description
CAPEC-652 capec https://capec.mitre.org/data/definitions/652.html
CWE-522 cwe http://cwe.mitre.org/data/definitions/522.html
CWE-307 cwe http://cwe.mitre.org/data/definitions/307.html
CWE-308 cwe http://cwe.mitre.org/data/definitions/308.html
CWE-309 cwe http://cwe.mitre.org/data/definitions/309.html
CWE-262 cwe http://cwe.mitre.org/data/definitions/262.html
CWE-263 cwe http://cwe.mitre.org/data/definitions/263.html
CWE-654 cwe http://cwe.mitre.org/data/definitions/654.html
CWE-294 cwe http://cwe.mitre.org/data/definitions/294.html
CWE-836 cwe http://cwe.mitre.org/data/definitions/836.html
T1558 ATTACK https://attack.mitre.org/wiki/Technique/T1558 Steal or Forge Kerberos Tickets
REF-584 reference_from_CAPEC https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence
REF-585 reference_from_CAPEC https://www.harmj0y.net/blog/powershell/kerberoasting-without-mimikatz/ Kerberoasting Without Mimikatz, 2016--11---01
REF-586 reference_from_CAPEC https://powersploit.readthedocs.io/en/latest/Recon/Invoke-Kerberoast/ Invoke-Kerberoast
Explore

  1. Acquire known Kerberos credentials: The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.

    2. Techniques
    An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
    An adversary guesses the credentials to a weak Kerberos service account.
    An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.
    An adversary conducts a Kerberoasting attack.
Experiment

  1. Attempt Kerberos authentication: Try each Kerberos credential against various resources within the domain until the target grants access.

    2. Techniques
    Manually or automatically enter each Kerberos service account credential through the target's interface.
    Attempt a Pass the Ticket attack.
Exploit

  1. Impersonate: An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain

  2. Spoofing: Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.

  3. Data Exfiltration: The adversary can obtain sensitive data contained within domain systems or applications.

  1. The system/application leverages Kerberos authentication.
  2. The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.
  3. The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.
  4. The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.
  5. The targeted network allows for network sniffing attacks to succeed.
  1. A valid Kerberos ticket or a known Kerberos service account credential.
Low
Once an adversary obtains a known Kerberos credential, leveraging it is trivial.
Integrity Authorization Access Control Authentication Confidentiality
Modify Data Read Data Gain Privileges Gain Privileges Gain Privileges
Read Data
  1. Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]
  2. PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]

We use cookies to ensure you get the best experience on our website.