Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

The Splunk Threat Research Team recently developed a new analytic story, Active Directory Kerberos Attacks, to help security operations center (SOC) analysts detect adversaries abusing the Kerberos protocol to attack Windows Active Directory (AD) environments. In this blog post, we’ll describe some of the detection opportunities available to cyber defenders and highlight analytics from the analytic story.

Watch the video below where we simulate a few Kerberos attacks using open source tools like Rubeus, Kerbrute, and PurpleSharp. We then collect and analyze the resulting telemetry to test our detections using Splunk in a lab environment built with the Attack Range.

Introduction

Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third party. This trusted third-party, called the Kerberos Distribution Center, issues Kerberos tickets to allow clients access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003.

There are two types of Kerberos tickets: Ticket Granting Ticket (TGT) and Service Tickets (ST). TGTs are first issued to users as an authentication mechanism after submitting their passwords. Once users attempt to consume Kerberos-based services such as a network share or web server, the TGT is submitted to obtain an ST which the user then presents to initiate a session.

As the backbone of Active Directory authentication, Kerberos is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc. The analytic story presented in this blog post groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for behavior commonly presented when attackers engage in Kerberos-based attacks.

Telemetry and Logging

An important step for defenders trying to enhance their Kerberos attack coverage is to gain a good understanding of the available telemetry generated by Windows when Kerberos is used (or abused). This intelligence can drive our logging requirements as well as content prioritization.

The Windows advanced audit policy configuration provides defenders with two Kerberos logging categories: Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations. Both categories are disabled by default and provide six types of events generated only on domain controllers when specific actions occur. The following are the three most relevant events based on the techniques we tested:

Engaging in Kerberos attack techniques will also leave an audit trail in other data sources. The Splunk Threat Research Team (STRT) recommends defenders deploy a comprehensive logging strategy that includes Kerberos events as well as other complementing data sources such as Process and Command-Line, Network Events, local authentication events, application events, etc.

Active Directory Kerberos Attacks Analytic Story

This section describes common Kerberos attacks for which we wrote detections in the new analytic story. We are using ATT&CK Tactics to organize them. Note that this is a work in progress and does not cover all the existing Kerberos attack techniques. Feedback is welcome!

Discovery - TA0007

User Enumeration

Adversaries may abuse Kerberos to validate if a list of users is a domain user or not. This validation can be stealthy as it does not actually generate failed authentication or lockout events. This can be accomplished by submitting a TGT request with no pre-authentication. If the KDC prompts for authentication, the user is valid.

Kerberos Delegation

Kerberos delegation is an impersonation capability that enables an application to access or consume resources hosted on a different server on behalf of users. While convenient, this Kerberos feature introduces new attack vectors that allow adversaries to abuse accounts or computers trusted for the delegation intending to steal Kerberos Ticket Granting Tickets or obtain unauthorized Kerberos Service Tickets.

Credential Access - TA0006

AS-REP Roasting

Pre-Authentication is a Kerberos security feature by which users encrypt a timestamp with their secret (password) and send it to the KDC in order to request a TGT. Once the KDC validates the timestamp was encrypted with the right secret, it will issue the TGT. However, if pre-authentication is disabled, this step is skipped and adversaries are able to request a TGT for any domain user. This technique is called AS-REP roasting and it effectively allows an attacker to perform an offline brute force attack against a user’s password.

Kerberoasting

In Active Directory networks, Service Principal Names (SPNs) are used to uniquely identify an instance of a network service. To enable authentication, SPNs are typically associated with a domain service account. When users request a Kerberos Service Ticket for or an SPN, part of this ticket is encrypted with the service account’s password hash.

This attack is known as Kerberoasting and allows adversaries to perform an offline brute force attack to attempt to obtain the service account's password.

Password Spraying

Password spraying is a technique by which adversaries leverage a single password or a small list of commonly used passwords against a large group of usernames to acquire valid account credentials. In an Active Directory environment, both the NTLM and Kerberos protocols can be used for this technique. Below are a few detection ideas for Kerberos.

For more detection opportunities, we encourage you to visit our Password Spraying analytic story.

Golden Ticket

The golden ticket attack is a technique used against Active Directory environments that allows adversaries to forge an arbitrary but valid Ticket Granting Ticket (TGT) as any domain user. This effectively allows attackers to impersonate any user, including high privileged users, and perform unauthorized actions on them. A golden ticket attack can only be executed if the attacker has obtained the NTLM hash password of a special domain account, krbtgt.

Lateral Movement - TA0008

Remote Code Execution

Once adversaries gain a foothold within an enterprise, they will seek to expand their access by leveraging techniques that facilitate lateral movement and remote code execution. Irrespective of the used technique (WMI, WinRM, SMB, etc), a lateral movement attack using the Kerberos protocol generates interesting events. For other detection ideas for lateral movement, make sure to visit our Active Directory Lateral Movement analytic story.

OverPass The Hash

Once adversaries compromise a Windows system with the highest privileges, they are able to dump credentials from memory to obtain clear text or hashed passwords. OverPass The Hash is a technique by which an attacker, who has obtained NTLM hash passwords, is able to authenticate to the Key Distribution Center using this hash and receive a valid Kerberos ticket (TGT) on behalf of the compromised user. This ticket can then be used to consume Kerberos-based services in the network.

Pass The Ticket

Adversaries who have obtained system privileges on a Windows host are able to export the valid Kerberos Ticket Granting Tickets as well as Kerberos Service Tickets that reside in memory. In the scenario that a high-privileged account has an active session on the compromised host, tickets can be dumped and reused to consume services and resources on the network in a similar way to the Pass The Hash NTLM attack.

Privilege Escalation - TA0004

SamAccountName Spoofing & Domain Controller Impersonation

On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory domain controllers: sAMAccountName Spoofing (CVE-2021–42278) and Domain Controller Impersonation (CVE-2021–42287). These vulnerabilities allow an adversary with access to low-privileged domain user credentials to obtain a Kerberos Service Ticket for a Domain Controller computer account. This effectively allows a regular domain user to take control of a domain controller.

Exploitation for Privilege Escalation

In June 2021, Will Schroeder and Lee Christensen released the whitepaper “Certified Pre-Owned: Abusing Active Directory Certificate Services” which described scenarios to abuse Microsoft’s PKI implementation called Active Directory Certificate Services. Combined with PetitPotam, a tool that abuses native services to coerce Windows computers to authenticate to malicious endpoints, attackers can escalate their privileges in an Active Directory network. For more information, visit this analytic story.

Datasets

Following the Splunk Threat Research Team’s methodology to create and test the detections released in every analytic story, we simulated all the Kerberos-based attacks in a lab environment built with the Attack Range and stored the resulting telemetry in the Attack Data project.

Defenders can leverage these datasets to build or test their detections. In this section, we present a summary table containing links to the most relevant datasets. Certain attacks point to more than one dataset as we simulate the same technique in more than one way to enhance detection resilience.

Learn more

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update.

For a full list of security content, check out the release notes on Splunk Docs.

• 3.38.0
• 3.37.0
• 3.36.0
• 3.35.0

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Author and Contributors

Credit to author Mauricio Velazco and collaborators Michael Haag, Patrick Bareis, Jose Hernandez, Teoderick Contreras, Eric McGinnis, Rod Soto, and Lou Stella.