Kerberoasting

Information

• Name: Kerberoasting

• ID: T1558.003

• Tactics: TA0006

• Technique: T1558

Introduction

Kerberoasting (T1558.003) is a widely known sub-technique within the MITRE ATT&CK framework under Credential Access. It involves abusing the Kerberos protocol, specifically targeting service accounts to extract encrypted tickets. Attackers then attempt to crack these tickets offline, aiming to retrieve plaintext passwords. This method is attractive due to its stealthy nature, as it leverages legitimate Kerberos functionality and typically does not require elevated privileges, making it difficult to detect.

Deep Dive Into Technique

Kerberoasting exploits the Kerberos authentication protocol's design, specifically targeting service accounts configured with Service Principal Names (SPNs). The process usually involves the following detailed steps:

1. Enumeration of SPNs:

   • Attackers first enumerate Active Directory (AD) accounts that have SPNs assigned. This can be done using built-in tools like PowerShell or third-party tools like PowerView, Impacket, or Rubeus.

   • Example enumeration command using PowerShell:

     Copy

     setspn -T domain.local -Q */*

   • Alternatively, using PowerView:

     Copy

     Get-NetUser -SPN

2. Requesting Kerberos Service Tickets (TGS):

   • Once SPNs are identified, attackers request Kerberos service tickets from the Key Distribution Center (KDC) without needing administrative privileges.

   • Tools such as Mimikatz, Rubeus, or Impacket's GetUserSPNs.py script are commonly used.

   • Example with Impacket:

     Copy

     GetUserSPNs.py domain.local/user:password -request

   • Example with Rubeus:

     Copy

     Rubeus.exe kerberoast

3. Offline Cracking of Tickets:

   • Extracted tickets are encrypted with the associated service account's NTLM hash.

   • Attackers take these encrypted tickets offline and attempt brute-force or dictionary attacks using tools like Hashcat or John the Ripper.

   • Example Hashcat command:

     Copy

     hashcat -m 13100 hashes.txt wordlist.txt

4. Gaining Credentials and Privilege Escalation:

   • Upon successful cracking, attackers obtain plaintext credentials for targeted service accounts.

   • These credentials may grant attackers additional access, lateral movement opportunities, or privilege escalation within the network.

When this Technique is Usually Used

Kerberoasting is commonly employed in various attack scenarios and stages:

• Initial Credential Access: Attackers who have gained initial foothold (even with low-privileged domain user accounts) often use Kerberoasting to escalate privileges or move laterally.

• Internal Reconnaissance: Attackers enumerate SPNs to identify high-value service accounts and target them for credential extraction.

• Lateral Movement: Once credentials are cracked, attackers use them to move laterally to other systems or services within the network.

• Persistence: Attackers may target service accounts with non-expiring passwords or high privileges to maintain persistent access within the environment.

• Red Team Engagements and Penetration Tests: Kerberoasting is frequently simulated by penetration testers and red teams to assess an organization's security posture and Active Directory hygiene.

How this Technique is Usually Detected

Detection of Kerberoasting typically involves monitoring and analyzing various event logs and network activities:

• Event Log Analysis:

  • Monitor Kerberos Service Ticket requests (Event ID 4769) on Domain Controllers.

  • Identify abnormal or excessive requests for service tickets targeting multiple service accounts within short timeframes.

• Anomalous Behavior Detection:

  • Detect unusual patterns of service ticket requests originating from uncommon users or workstations.

  • Identify users requesting tickets for services they typically do not access.

• Monitoring of SPN Enumeration:

  • Detect enumeration attempts by monitoring LDAP queries or PowerShell execution logs for SPN enumeration commands.

• Use of Detection Tools and Frameworks:

  • Security Information and Event Management (SIEM) solutions (e.g., Splunk, QRadar, Elastic Security) with custom detection rules.

  • Endpoint Detection and Response (EDR) solutions (e.g., Microsoft Defender for Endpoint, CrowdStrike Falcon) monitoring suspicious process execution.

  • Network monitoring tools (Zeek/Bro, Suricata) to detect unusual Kerberos traffic patterns.

• Indicators of Compromise (IoCs):

  • Unusual Event ID 4769 logs with encryption type RC4 (0x17) requests.

  • Presence of known Kerberoasting tools (e.g., Rubeus, Mimikatz, Impacket) on endpoints.

  • Suspicious LDAP queries for SPN enumeration.

Why it is Important to Detect This Technique

Early detection of Kerberoasting is critical due to the significant potential impacts on systems and networks:

• Privilege Escalation: Compromised service account credentials often have elevated privileges, enabling attackers to escalate privileges and execute further attacks.

• Lateral Movement: Attackers can leverage cracked credentials to move laterally across the network, compromising additional systems.

• Persistence and Long-term Access: Service accounts often have non-expiring passwords, allowing attackers persistent access to critical network resources.

• Data Exfiltration Risk: Compromised privileged accounts can facilitate unauthorized access to sensitive data, leading to data breaches and compliance violations.

• Operational Disruption: Attackers may disrupt critical services or infrastructure once gaining control over privileged accounts.

• Difficulty in Remediation: Once attackers have valid credentials, remediation becomes more complex, requiring password resets, account audits, and significant incident response efforts.

Proactive detection reduces the window of opportunity for attackers, minimizes damage, and helps organizations maintain operational integrity and compliance.

Examples

Real-world examples and scenarios involving Kerberoasting include:

• APT29 (Cozy Bear):

  • Known to leverage Kerberoasting techniques to escalate privileges and move laterally within targeted environments.

  • Utilized tools such as Mimikatz to extract service tickets and credentials.

• FIN6 Threat Group:

  • Employed Kerberoasting to compromise point-of-sale (POS) systems in retail environments.

  • Cracked service account passwords to escalate privileges and deploy malware for financial gain.

• Penetration Testing and Red Team Engagements:

  • Tools commonly used in engagements include:

    • Mimikatz: Extracts Kerberos tickets from memory and performs Kerberoasting attacks.

    • Rubeus: Dedicated Kerberos abuse toolkit capable of performing multiple Kerberoasting methods.

    • Impacket Suite: Python-based tools (e.g., GetUserSPNs.py) used for Kerberos ticket extraction and offline cracking.

  • Demonstrated impacts include successful privilege escalation, lateral movement, and domain compromise.

• Publicly Documented Case Studies:

  • Numerous documented cases in security blogs, incident response reports, and public disclosures highlight Kerberoasting's effectiveness in real-world attacks.

  • Organizations have reported significant losses and operational disruptions due to undetected Kerberoasting attacks.

These examples highlight the importance of understanding Kerberoasting methods, detection strategies, and prevention measures to safeguard organizational assets.