SECURITY

Detecting Active Directory Kerberos Attacks: Threat Research Release, March 2022

The Splunk Threat Research Team recently developed a new analytic story, Active Directory Kerberos Attacks, to help security operations center (SOC) analysts detect adversaries abusing the Kerberos protocol to attack Windows Active Directory (AD) environments. In this blog post, we’ll describe some of the detection opportunities available to cyber defenders and highlight analytics from the analytic story.

Watch the video below where we simulate a few Kerberos attacks using open source tools like Rubeus, Kerbrute, and PurpleSharp. We then collect and analyze the resulting telemetry to test our detections using Splunk in a lab environment built with the Attack Range.

Introduction

Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third party. This trusted third-party, called the Kerberos Distribution Center, issues Kerberos tickets to allow clients access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. 

There are two types of Kerberos tickets:  Ticket Granting Ticket (TGT) and Service Tickets (ST). TGTs are first issued to users as an authentication mechanism after submitting their passwords. Once users attempt to consume Kerberos-based services such as a network share or web server, the TGT is submitted to obtain an ST which the user then presents to initiate a session.

As the backbone of Active Directory authentication, Kerberos is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc. The analytic story presented in this blog post groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for behavior commonly presented when attackers engage in Kerberos-based attacks. 

Telemetry and Logging

An important step for defenders trying to enhance their Kerberos attack coverage is to gain a good understanding of the available telemetry generated by Windows when Kerberos is used (or abused). This intelligence can drive our logging requirements as well as content prioritization.

The Windows advanced audit policy configuration provides defenders with two Kerberos logging categories: Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations. Both categories are disabled by default and provide six types of events generated only on domain controllers when specific actions occur. The following are the three most relevant events based on the techniques we tested:

Event Code

Description

4768

A Kerberos authentication ticket (TGT) was requested

4769

A Kerberos service (ST)  ticket was requested

4771

Kerberos pre-authentication failed.

Engaging in Kerberos attack techniques will also leave an audit trail in other data sources. The Splunk Threat Research Team (STRT) recommends defenders deploy a comprehensive logging strategy that includes Kerberos events as well as other complementing data sources such as Process and Command-Line, Network Events, local authentication events, application events, etc.

Active Directory Kerberos Attacks Analytic Story

This section describes common Kerberos attacks for which we wrote detections in the new analytic story. We are using ATT&CK Tactics to organize them. Note that this is a work in progress and does not cover all the existing Kerberos attack techniques. Feedback is welcome!

Discovery - TA0007

 

User Enumeration

Adversaries may abuse Kerberos to validate if a list of users is a domain user or not. This validation can be stealthy as it does not actually generate failed authentication or lockout events. This can be accomplished by submitting a TGT request with no pre-authentication. If the KDC prompts for authentication, the user is valid.

Name

Technique ID

Tactic

Description

Kerberos User Enumeration 

T1589.002

Discovery

This analytic leverages Event Id 4768. A Kerberos authentication ticket (TGT) was requested to identify one source endpoint trying to obtain an unusual number of Kerberos TGT tickets for non-existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6.

 

Kerberos Delegation

Kerberos delegation is an impersonation capability that enables an application to access or consume resources hosted on a different server on behalf of users. While convenient, this Kerberos feature introduces new attack vectors that allow adversaries to abuse accounts or computers trusted for the delegation intending to steal Kerberos Ticket Granting Tickets or obtain unauthorized Kerberos Service Tickets. 

Name

Technique ID

Tactic

Description

Windows PowerView Unconstrained Delegation Discovery

T1018

Discovery

This analytic utilizes PowerShell Script Block Logging (EventCode=4104)

to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation.

Windows Get-ADComputer Unconstrained Delegation Discovery

T1018

Discovery

This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation.

Windows PowerView Constrained Delegation Discovery

T1018

Discovery

This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation.

 

 

Credential Access - TA0006

 

AS-REP Roasting

Pre-Authentication is a Kerberos security feature by which users encrypt a timestamp with their secret (password) and send it to the KDC in order to request a TGT. Once the KDC validates the timestamp was encrypted with the right secret, it will issue the TGT. However, if pre-authentication is disabled, this step is skipped and adversaries are able to request a TGT for any domain user. This technique is called AS-REP roasting and it effectively allows an attacker to perform an offline brute force attack against a user’s password.

Name

Technique ID

Tactic

Description

Disabled Kerberos Pre-Authentication Discovery With Get-ADUser

T1558.004

Credential Access

This analytic identifies the execution of the Get-ADUser commandlet with specific parameters. Get-ADUser is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, Get-ADUser is used to query for domain users. With the appropriate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.

Disabled Kerberos Pre-Authentication Discovery With PowerView

T1558.004

Credential Access

This analytic identifies the execution of the Get-DomainUser commandlet with specific parameters. Get-DomainUser is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, Get-DomainUser is used to identify domain users and combining it with -PreauthNotRequired allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled.

Kerberos Pre-Authentication Flag Disabled in UserAccountControl

T1558.004

Credential Access

This analytic leverages Windows Security Event 4738. A user account was changed to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user’s password offline leveraging the ASP REP Roasting technique.

Kerberos Pre-Authentication Flag Disabled with PowerShell

T1558.004

Credential Access

This analytic identifies the execution of the Set-ADAccountControl commandlet with specific parameters. As the name suggests, Set-ADAccountControl is used to modify User Account Control values for an Active Directory domain account. With the appropriate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account.

 


Kerberoasting

In Active Directory networks, Service Principal Names (SPNs) are used to uniquely identify an instance of a network service. To enable authentication, SPNs are typically associated with a domain service account. When users request a Kerberos Service Ticket for or an SPN, part of this ticket is encrypted with the service account’s password hash. This attack is known as Kerberoasting and allows adversaries to perform an offline brute force attack to attempt to obtain the service account's password.

Name

Technique ID

Tactic

Description

Kerberoasting spn request with RC4 encryption

T1558.003

Credential Access

This analytic identifies a potential Kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request Kerberos tickets for domain accounts typically used as service accounts and attempts to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common Kerberoasting tools.

ServicePrincipalNames Discovery with PowerShell

T1558.003

Credential Access

This analytic identifies powershell.exe usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principal Names. Typically, this is a precursor activity related to Kerberoasting or the silver ticket attack.

ServicePrincipalNames Discovery with SetSPN

T1558.003

Credential Access

This analytic identifies setspn.exe usage related to querying the domain for Service Principal Names. Typically, this is a precursor activity related to Kerberoasting or the silver ticket attack.

Unusual Number of Kerberos Service Tickets Requested

T1558.003

Credential Access

This hunting analytic leverages Kerberos Event 4769. A Kerberos service ticket was requested to identify a potential Kerberoasting attack against Active Directory networks. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service ticket requests.

 


Password Spraying

Password spraying is a technique by which adversaries leverage a single password or a small list of commonly used passwords against a large group of usernames to acquire valid account credentials. In an Active Directory environment, both the NTLM and Kerberos protocols can be used for this technique. Below are a few detection ideas for Kerberos. For more detection opportunities, we encourage you to visit our Password Spraying analytic story

Name

Technique ID

Tactic

Description

Multiple Disabled Users Failing To Authenticate From Host Using Kerberos

T1110.003

Credential Access

Identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This detection will only trigger on domain controllers, not on member servers or workstations.

Multiple Users Failing To Authenticate From Host Using Kerberos

T1110.003


Credential Access

Identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This detection will only trigger on domain controllers, not on member servers or workstations.

Multiple Invalid Users Failing To Authenticate From Host Using Kerberos

T1110.003



Initial Access

Identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This detection will only trigger on domain controllers, not on member servers or workstations.

 

 

Golden Ticket

The golden ticket attack is a technique used against Active Directory environments that allows adversaries to forge an arbitrary but valid Ticket Granting Ticket (TGT) as any domain user. This effectively allows attackers to impersonate any user, including high privileged users, and perform unauthorized actions on them. A golden ticket attack can only be executed if the attacker has obtained the NTLM hash password of a special domain account, krbtgt.

Name

Technique ID

Tactic

Description

Kerberos Service Ticket Request Using RC4 Encryption

T1558.001

Credential Access

This analytic leverages Kerberos Event 4769 to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Server 2008 and newer support AES Kerberos encryption. 

 

Lateral Movement - TA0008

 

Remote Code Execution

Once adversaries gain a foothold within an enterprise, they will seek to expand their access by leveraging techniques that facilitate lateral movement and remote code execution. Irrespective of the used technique (WMI, WinRM, SMB, etc), a lateral movement attack using the Kerberos protocol generates interesting events. For other detection ideas for lateral movement, make sure to visit our Active Directory Lateral Movement analytic story.

Name

Technique ID

Tactic

Description

Unusual Number of Computer Service Tickets Requested

T1078

Lateral Movement

This hunting analytic leverages Event ID 4769. A Kerberos service ticket was requested to identify an unusual number of computer service ticket requests from one source. When a domain-joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc.

 

OverPass The Hash

Once adversaries compromise a Windows system with the highest privileges, they are able to dump credentials from memory to obtain clear text or hashed passwords. OverPass The Hash is a technique by which an attacker, who has obtained NTLM hash passwords, is able to authenticate to the Key Distribution Center using this hash and receive a valid Kerberos ticket (TGT)  on behalf of the compromised user. This ticket can then be used to consume Kerberos-based services in the network.

Name

Technique ID

Tactic

Description

Unknown Process Using The Kerberos Protocol

T1550

Lateral Movement

This analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol.

Kerberos TGT Request Using RC4 Encryption

T1550

Lateral Movement

This analytic leverages Event 4768. A Kerberos authentication ticket (TGT) was requested to identify a TGT request with encryption type 0x17, or 

RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account can authenticate to the Kerberos Distribution Center (KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources.

 

Pass The Ticket

Adversaries who have obtained system privileges on a Windows host are able to export the valid Kerberos Ticket Granting Tickets as well as Kerberos Service Tickets that reside in memory. In the scenario that a high-privileged account has an active session on the compromised host, tickets can be dumped and reused to consume services and resources on the network in a similar way to the Pass The Hash NTLM attack.

Name

Technique ID

Tactic

Description

Mimikatz PassTheTicket CommandLine Parameters

T1550.003

Lateral Movement

This analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the Pass the Ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls.

Rubeus Kerberos Ticket Exports Through Winlogon Access

T1550.003

Lateral Movement

This analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export Kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for Kerberos tickets. Exporting tickets from memory is typically the first step of passing the ticket attacks.

Rubeus Command Line Parameters

T1550.003

Lateral Movement

This analytic looks for the use of Rubeus command-line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, Kerberoasting, password spraying, etc.

 

Privilege Escalation - TA0004

 

SamAccountName Spoofing & Domain Controller Impersonation

On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory domain controllers: sAMAccountName Spoofing (CVE-2021–42278) and Domain Controller Impersonation (CVE-2021–42287). These vulnerabilities allow an adversary with access to low-privileged domain user credentials to obtain a Kerberos Service Ticket for a Domain Controller computer account. This effectively allows a regular domain user to take control of a domain controller.

Name

Technique ID

Tactic

Description

Suspicious Kerberos Service Ticket Request

T1078.002

Privilege Escalation

As part of the sAMAccountName Spoofing and Domain Controller Impersonation exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, A Kerberos service ticket was requested, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. 

Suspicious Ticket Granting Ticket Request

T1078.002

Privilege Escalation

As part of the sAMAccountName Spoofing and Domain Controller Impersonation exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, The name of an account was changed and event Id 4768 A Kerberos authentication ticket (TGT) was requested to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768.

 

Exploitation for Privilege Escalation

In June 2021, Will Schroeder and Lee Christensen released the whitepaper “Certified Pre-Owned: Abusing Active Directory Certificate Services” which described scenarios to abuse Microsoft’s PKI implementation called Active Directory Certificate Services. Combined with PetitPotam, a tool that abuses native services to coerce Windows computers to authenticate to malicious endpoints, attackers can escalate their privileges in an Active Directory network. For more information, visit this analytic story.

Name

Technique ID

Tactic

Description

PetitPotam Suspicious Kerberos TGT Request

T1187

Credential Access

This analytic identifies Event Code 4768. A Kerberos authentication ticket (TGT) was requested successfully. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacker obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment.

Datasets

Following the Splunk Threat Research Team’s methodology to create and test the detections released in every analytic story, we simulated all the Kerberos-based attacks in a lab environment built with the Attack Range and stored the resulting telemetry in the Attack Data project.

Defenders can leverage these datasets to build or test their detections. In this section, we present a summary table containing links to the most relevant datasets. Certain attacks point to more than one dataset as we simulate the same technique in more than one way to enhance detection resilience. 

Attack

Technique ID

Tactic

Dataset Link(s)

Kerberos User Enumeration

T1589.002


Discovery

windows-security.log

Kerberos Delegation Discovery

T1018

Discovery

windows-powershell.log

windows-powershell.log

windows-powershell.log

Kerberos Pre-Authentication Flag Disabled

T1558.004

Credential Access

windows-security.log

windows-security.log


Kerberos Pre-Authentication Discovery

T1558.004

Credential Access

windows-powershell.log

windows-powershell.log

Kerberoasting

T1558.003

Credential Access

windows-security.log

windows-security.log 

Password Spraying

T1110.003

Credential Access

windows-security.log

windows-security.log

windows-security.log

Golden Ticket

T1558.001

Credential Access

windows-security.log 

Pass The Ticket

T1078.002

Privilege Escalation

windows-sysmon.log

windows-sysmon.log


OverPassTheHash

T1550

Lateral Movement

windows-security.log  

windows-security.log

Learn more

You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update. 

For a full list of security content, check out the release notes on Splunk Docs.

Feedback

Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.

Author and Contributors

Credit to author Mauricio Velazco and collaborators Michael Haag, Patrick Bareis, Jose Hernandez, Teoderick Contreras, Eric McGinnis, Rod Soto, and Lou Stella.

 

The Splunk Threat Research Team is an active part of a customer’s overall defense strategy by enhancing Splunk security offerings with verified research and security content such as use cases, detection searches, and playbooks. We help security teams around the globe strengthen operations by providing tactical guidance and insights to detect, investigate and respond against the latest threats. The Splunk Threat Research Team focuses on understanding how threats, actors, and vulnerabilities work, and the team replicates attacks which are stored as datasets in the Attack Data repository

Our goal is to provide security teams with research they can leverage in their day to day operations and to become the industry standard for SIEM detections. We are a team of industry-recognized experts who are encouraged to improve the security industry by sharing our work with the community via conference talks, open-sourcing projects, and writing white papers or blogs. You will also find us presenting our research at conferences such as Defcon, Blackhat, RSA, and many more.


Read more Splunk Security Content

TAGS
Show All Tags
Show Less Tags