Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in <code>klist</code> utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, especially for Kerberos authentication process, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to steal or forge kerberos tickets.
References
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
References
|
| ID.AM-08.03 | Data governance and lifecycle management | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.02 | Physical and logical access | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement describes how the organization ensures users are identified and authenticated before accessing systems, applications, and hardware, with logical access controls permitting access only to authorized individuals with legitimate business needs. Logical access controls in relation to systems can refer to the use of MFA, user account management, and other role-based access control mechanisms to enforce policies for authentication and authorization of user accounts.
References
|
| PR.AA-03.01 | Authentication requirements | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement describes how the organization implement appropriate authentication requirements, including selecting mechanisms based on risk, utilizing multi-factor authentication where necessary, and safeguarding the storage of authenticators like pins and passwords to protect sensitive access credentials.
References
|
| ID.AM-08.05 | Data destruction procedures | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement prevents adversaries from being able to steal data in transit between networks by accessing Wi-Fi access points and abusing Kerberos by stealing tickets to enforce unauthorized access. There may be some similarities to NIST 800-53 SI-12 Information Management and Retention. This may provide mitigation of data access/exfiltration techniques.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558 | Steal or Forge Kerberos Tickets |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1558 | Steal or Forge Kerberos Tickets |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| alerts_for_windows_machines | Alerts for Windows Machines | technique_scores | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control's detection is specific to a minority of this technique's sub-techniques resulting in a Minimal Coverage score and consequently an overall score of Minimal.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1558 | Steal or Forge Kerberos Tickets |
Comments
This control only covers one procedure for one of this technique's sub-techniques, resulting in an overall Minimal score.
References
|
| Technique ID | Technique Name | Number of Mappings |
|---|---|---|
| T1558.005 | Ccache Files | 15 |
| T1558.004 | AS-REP Roasting | 27 |
| T1558.001 | Golden Ticket | 16 |
| T1558.002 | Silver Ticket | 29 |
| T1558.003 | Kerberoasting | 33 |