T1558 Steal or Forge Kerberos Tickets Mappings

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)

Linux systems on Active Directory domains store Kerberos credentials locally in the credential cache file referred to as the "ccache". The credentials are stored in the ccache file while they remain valid and generally while a user's session lasts.(Citation: MIT ccache) On modern Redhat Enterprise Linux systems, and derivative distributions, the System Security Services Daemon (SSSD) handles Kerberos tickets. By default SSSD maintains a copy of the ticket database that can be found in <code>/var/lib/sss/secrets/secrets.ldb</code> as well as the corresponding key located in <code>/var/lib/sss/secrets/.secrets.mkey</code>. Both files require root access to read. If an adversary is able to access the database and key, the credential cache Kerberos blob can be extracted and converted into a usable Kerberos ccache file that adversaries may use for Pass the Ticket. The ccache file may also be converted into a Windows format using tools such as Kekeo.(Citation: Linux Kerberos Tickets)(Citation: Brining MimiKatz to Unix)(Citation: Kekeo)

Kerberos tickets on macOS are stored in a standard ccache format, similar to Linux. By default, access to these ccache entries is federated through the KCM daemon process via the Mach RPC protocol, which uses the caller's environment to determine access. The storage location for these ccache entries is influenced by the <code>/etc/krb5.conf</code> configuration file and the <code>KRB5CCNAME</code> environment variable which can specify to save them to disk or keep them protected via the KCM daemon. Users can interact with ticket storage using <code>kinit</code>, <code>klist</code>, <code>ktutil</code>, and <code>kcc</code> built-in binaries or via Apple's native Kerberos framework. Adversaries can use open source tools to interact with the ccache files directly or to use the Kerberos framework to call lower-level APIs for extracting the user's TGT or Service Tickets.(Citation: SpectorOps Bifrost Kerberos macOS 2019)(Citation: macOS kerberos framework MIT)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1558 Steal or Forge Kerberos Tickets
AC-17 Remote Access Protects T1558 Steal or Forge Kerberos Tickets
AC-18 Wireless Access Protects T1558 Steal or Forge Kerberos Tickets
AC-19 Access Control for Mobile Devices Protects T1558 Steal or Forge Kerberos Tickets
AC-2 Account Management Protects T1558 Steal or Forge Kerberos Tickets
AC-3 Access Enforcement Protects T1558 Steal or Forge Kerberos Tickets
AC-5 Separation of Duties Protects T1558 Steal or Forge Kerberos Tickets
AC-6 Least Privilege Protects T1558 Steal or Forge Kerberos Tickets
CA-7 Continuous Monitoring Protects T1558 Steal or Forge Kerberos Tickets
CM-2 Baseline Configuration Protects T1558 Steal or Forge Kerberos Tickets
CM-5 Access Restrictions for Change Protects T1558 Steal or Forge Kerberos Tickets
CM-6 Configuration Settings Protects T1558 Steal or Forge Kerberos Tickets
IA-2 Identification and Authentication (organizational Users) Protects T1558 Steal or Forge Kerberos Tickets
IA-5 Authenticator Management Protects T1558 Steal or Forge Kerberos Tickets
SC-4 Information in Shared System Resources Protects T1558 Steal or Forge Kerberos Tickets
SI-12 Information Management and Retention Protects T1558 Steal or Forge Kerberos Tickets
SI-3 Malicious Code Protection Protects T1558 Steal or Forge Kerberos Tickets
SI-4 System Monitoring Protects T1558 Steal or Forge Kerberos Tickets
SI-7 Software, Firmware, and Information Integrity Protects T1558 Steal or Forge Kerberos Tickets
action.hacking.variety.Use of stolen creds Use of stolen or default authentication credentials (including credential stuffing) related-to T1558 Steal or Forge Kerberos Tickets

ATT&CK Subtechniques

Technique ID Technique Name Number of Mappings
T1558.004 AS-REP Roasting 23
T1558.001 Golden Ticket 10
T1558.002 Silver Ticket 20
T1558.003 Kerberoasting 20