Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015)
Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service(Citation: Microsoft Detecting Kerberoasting Feb 2018)).(Citation: Microsoft SPN)(Citation: Microsoft SetSPN)(Citation: SANS Attacking Kerberos Nov 2014)(Citation: Harmj0y Kerberoast Nov 2016)
Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).(Citation: Empire InvokeKerberoast Oct 2016)(Citation: AdSecurity Cracking Kerberos Dec 2015) Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.(Citation: AdSecurity Cracking Kerberos Dec 2015)(Citation: Empire InvokeKerberoast Oct 2016) (Citation: Harmj0y Kerberoast Nov 2016)
This same behavior could be executed using service tickets captured from network traffic.(Citation: AdSecurity Cracking Kerberos Dec 2015)
Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.IR-01.05 | Remote access protection | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement implements security controls and restrictions for remote user access to systems. Remote user access control involves managing and securing how users remotely access systems, such as through encrypted connections and account use policies, which help prevent adversary access.
References
|
| PR.AA-05.02 | Privileged system access | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Kerberoasting through the use of privileged account management and the use of multi-factor authentication.
References
|
| DE.CM-06.02 | Third-party access monitoring | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Kerberoasting through the use of privileged account management. Employing auditing, privilege access management, and just in time access protects against adversaries trying to obtain illicit access to critical systems.
References
|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: Kerberoasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform Kerbeoasting.
References
|
| PR.AA-05.03 | Service accounts | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement describes security controls implemented for service accounts (i.e., accounts used by systems to access other systems). Limit service accounts to minimal required privileges to mitigate attempts to steal or forge Kerberos tickets.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement protects against Kerberoasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.003 | Kerberoasting |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets with kerberoasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.malware.variety.Capture stored data | Capture data stored on system disk | related-to | T1558.003 | Kerberoasting | |
| action.malware.variety.Export data | Export data to another site or system | related-to | T1558.003 | Kerberoasting | |
| action.malware.variety.Password dumper | Password dumper (extract credential hashes) | related-to | T1558.003 | Kerberoasting | |
| attribute.confidentiality.data_disclosure | None | related-to | T1558.003 | Kerberoasting | |
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1558.003 | Kerberoasting |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| microsoft_sentinel | Microsoft Sentinel | technique_scores | T1558.003 | Kerberoasting |
Comments
Microsoft Sentinel Analytics includes a "Potential Kerberoasting" query. Kerberoasting via Empire can also be detected using the Microsoft Sentinel Analytics "Powershell Empire cmdlets seen in command line" query.
References
|
| defender_for_app_service | Microsoft Defender for Cloud: Defender for App Service | technique_scores | T1558.003 | Kerberoasting |
Comments
This control analyzes host data to detect execution of known malicious PowerShell PowerSploit cmdlets. This covers execution of this sub-technique via the Invoke-Kerberoast module, but does not address other procedures, and temporal factor is unknown, resulting in a Minimal score.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1558.003 | Kerberoasting |
Comments
This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.
Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique.
The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
References
|
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1558.003 | Kerberoasting |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1558.003 | Kerberoasting |
Comments
This control's "Modify unsecure Kerberos delegations to prevent impersonation" recommendation promotes running the "Unsecure Kerberos delegation" report that can identify accounts that have unsecure Kerberos delegation configured. Unsecured Kerberos delegation can lead to exposing account TGTs to more hosts resulting in an increased attack surface for Kerberoasting. Due to this control providing a recommendation its score is capped at Partial.
References
|