By Splunk Threat Research Team May 11, 2022
The Splunk Threat Research Team recently developed a new analytic story, Active Directory Kerberos Attacks, to help security operations center (SOC) analysts detect adversaries abusing the Kerberos protocol to attack Windows Active Directory (AD) environments. In this blog post, we’ll describe some of the detection opportunities available to cyber defenders and highlight analytics from the analytic story.
Watch the video below where we simulate a few Kerberos attacks using open source tools like Rubeus, Kerbrute, and PurpleSharp. We then collect and analyze the resulting telemetry to test our detections using Splunk in a lab environment built with the Attack Range.
Introduction
Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third party. This trusted third-party, called the Kerberos Distribution Center, issues Kerberos tickets to allow clients access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003.
There are two types of Kerberos tickets: Ticket Granting Ticket (TGT) and Service Tickets (ST). TGTs are first issued to users as an authentication mechanism after submitting their passwords. Once users attempt to consume Kerberos-based services such as a network share or web server, the TGT is submitted to obtain an ST which the user then presents to initiate a session.
As the backbone of Active Directory authentication, Kerberos is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc. The analytic story presented in this blog post groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for behavior commonly presented when attackers engage in Kerberos-based attacks.
Telemetry and Logging
An important step for defenders trying to enhance their Kerberos attack coverage is to gain a good understanding of the available telemetry generated by Windows when Kerberos is used (or abused). This intelligence can drive our logging requirements as well as content prioritization.
The Windows advanced audit policy configuration provides defenders with two Kerberos logging categories: Audit Kerberos Authentication Service and Audit Kerberos Service Ticket Operations. Both categories are disabled by default and provide six types of events generated only on domain controllers when specific actions occur. The following are the three most relevant events based on the techniques we tested:
Event Code |
Description |
A Kerberos authentication ticket (TGT) was requested |
|
A Kerberos service (ST) ticket was requested |
|
Kerberos pre-authentication failed. |
Engaging in Kerberos attack techniques will also leave an audit trail in other data sources. The Splunk Threat Research Team (STRT) recommends defenders deploy a comprehensive logging strategy that includes Kerberos events as well as other complementing data sources such as Process and Command-Line, Network Events, local authentication events, application events, etc.
Active Directory Kerberos Attacks Analytic Story
This section describes common Kerberos attacks for which we wrote detections in the new analytic story. We are using ATT&CK Tactics to organize them. Note that this is a work in progress and does not cover all the existing Kerberos attack techniques. Feedback is welcome!
Discovery - TA0007
User Enumeration
Adversaries may abuse Kerberos to validate if a list of users is a domain user or not. This validation can be stealthy as it does not actually generate failed authentication or lockout events. This can be accomplished by submitting a TGT request with no pre-authentication. If the KDC prompts for authentication, the user is valid.
Name |
Technique ID |
Tactic |
Description |
T1589.002 |
Discovery |
This analytic leverages Event Id 4768. A Kerberos authentication ticket (TGT) was requested to identify one source endpoint trying to obtain an unusual number of Kerberos TGT tickets for non-existing users. This behavior could represent an adversary abusing the Kerberos protocol to perform a user enumeration attack against an Active Directory environment. When Kerberos is sent a TGT request with no preauthentication for an invalid username, it responds with KRB5KDC_ERR_C_PRINCIPAL_UNKNOWN or 0x6. |
Kerberos Delegation
Kerberos delegation is an impersonation capability that enables an application to access or consume resources hosted on a different server on behalf of users. While convenient, this Kerberos feature introduces new attack vectors that allow adversaries to abuse accounts or computers trusted for the delegation intending to steal Kerberos Ticket Granting Tickets or obtain unauthorized Kerberos Service Tickets.
Name |
Technique ID |
Tactic |
Description |
T1018 |
Discovery |
This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Unconstrained Delegation. |
|
T1018 |
Discovery |
This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify the Get-ADComputer commandlet used with specific parameters to discover Windows endpoints with Kerberos Unconstrained Delegation. |
|
T1018 |
Discovery |
This analytic utilizes PowerShell Script Block Logging (EventCode=4104) to identify commandlets used by the PowerView hacking tool leveraged to discover Windows endpoints with Kerberos Constrained Delegation. |
Credential Access - TA0006
AS-REP Roasting
Pre-Authentication is a Kerberos security feature by which users encrypt a timestamp with their secret (password) and send it to the KDC in order to request a TGT. Once the KDC validates the timestamp was encrypted with the right secret, it will issue the TGT. However, if pre-authentication is disabled, this step is skipped and adversaries are able to request a TGT for any domain user. This technique is called AS-REP roasting and it effectively allows an attacker to perform an offline brute force attack against a user’s password.
Name |
Technique ID |
Tactic |
Description |
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser |
T1558.004 |
Credential Access |
This analytic identifies the execution of the Get-ADUser commandlet with specific parameters. Get-ADUser is part of the Active Directory PowerShell module used to manage Windows Active Directory networks. As the name suggests, Get-ADUser is used to query for domain users. With the appropriate parameters, Get-ADUser allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. |
Disabled Kerberos Pre-Authentication Discovery With PowerView |
T1558.004 |
Credential Access |
This analytic identifies the execution of the Get-DomainUser commandlet with specific parameters. Get-DomainUser is part of PowerView, a PowerShell tool used to perform enumeration on Windows Active Directory networks. As the name suggests, Get-DomainUser is used to identify domain users and combining it with -PreauthNotRequired allows adversaries to discover domain accounts with Kerberos Pre Authentication disabled. |
Kerberos Pre-Authentication Flag Disabled in UserAccountControl |
T1558.004 |
Credential Access |
This analytic leverages Windows Security Event 4738. A user account was changed to identify a change performed on a domain user object that disables Kerberos Pre-Authentication. Disabling the Pre Authentication flag in the UserAccountControl property allows an adversary to easily perform a brute force attack against the user’s password offline leveraging the ASP REP Roasting technique. |
T1558.004 |
Credential Access |
This analytic identifies the execution of the Set-ADAccountControl commandlet with specific parameters. As the name suggests, Set-ADAccountControl is used to modify User Account Control values for an Active Directory domain account. With the appropriate parameters, Set-ADAccountControl allows adversaries to disable Kerberos Pre-Authentication for an account. |
Kerberoasting
In Active Directory networks, Service Principal Names (SPNs) are used to uniquely identify an instance of a network service. To enable authentication, SPNs are typically associated with a domain service account. When users request a Kerberos Service Ticket for or an SPN, part of this ticket is encrypted with the service account’s password hash.
This attack is known as Kerberoasting and allows adversaries to perform an offline brute force attack to attempt to obtain the service account's password.
Name |
Technique ID |
Tactic |
Description |
T1558.003 |
Credential Access |
This analytic identifies a potential Kerberoasting attack against Active Directory networks. Kerberoasting allows an adversary to request Kerberos tickets for domain accounts typically used as service accounts and attempts to crack them offline allowing them to obtain privileged access to the domain. This analytic looks for a specific combination of the Ticket_Options field based on common Kerberoasting tools. |
|
T1558.003 |
Credential Access |
This analytic identifies powershell.exe usage, using Script Block Logging EventCode 4104, related to querying the domain for Service Principal Names. Typically, this is a precursor activity related to Kerberoasting or the silver ticket attack. |
|
T1558.003 |
Credential Access |
This analytic identifies setspn.exe usage related to querying the domain for Service Principal Names. Typically, this is a precursor activity related to Kerberoasting or the silver ticket attack. |
|
T1558.003 |
Credential Access |
This hunting analytic leverages Kerberos Event 4769. A Kerberos service ticket was requested to identify a potential Kerberoasting attack against Active Directory networks. The detection calculates the standard deviation for each host and leverages the 3-sigma statistical rule to identify an unusual number of service ticket requests. |
Password Spraying
Password spraying is a technique by which adversaries leverage a single password or a small list of commonly used passwords against a large group of usernames to acquire valid account credentials. In an Active Directory environment, both the NTLM and Kerberos protocols can be used for this technique. Below are a few detection ideas for Kerberos.
For more detection opportunities, we encourage you to visit our Password Spraying analytic story.
Name |
Technique ID |
Tactic |
Description |
Multiple Disabled Users Failing To Authenticate From Host Using Kerberos |
T1110.003 |
Credential Access |
Identifies one source endpoint failing to authenticate with multiple disabled domain users using the Kerberos protocol. This detection will only trigger on domain controllers, not on member servers or workstations. |
Multiple Users Failing To Authenticate From Host Using Kerberos |
T1110.003 |
Credential Access |
Identifies one source endpoint failing to authenticate with multiple valid users using the Kerberos protocol. This detection will only trigger on domain controllers, not on member servers or workstations. |
Multiple Invalid Users Failing To Authenticate From Host Using Kerberos |
T1110.003 |
Initial Access |
Identifies one source endpoint failing to authenticate with multiple invalid domain users using the Kerberos protocol. This detection will only trigger on domain controllers, not on member servers or workstations. |
Golden Ticket
The golden ticket attack is a technique used against Active Directory environments that allows adversaries to forge an arbitrary but valid Ticket Granting Ticket (TGT) as any domain user. This effectively allows attackers to impersonate any user, including high privileged users, and perform unauthorized actions on them. A golden ticket attack can only be executed if the attacker has obtained the NTLM hash password of a special domain account, krbtgt.
Name |
Technique ID |
Tactic |
Description |
T1558.001 |
Credential Access |
This analytic leverages Kerberos Event 4769 to identify a potential Kerberos Service Ticket request related to a Golden Ticket attack. Adversaries who have obtained the Krbtgt account NTLM password hash may forge a Kerberos Granting Ticket (TGT) to obtain unrestricted access to an Active Directory environment. Armed with a Golden Ticket, attackers can request service tickets to move laterally and execute code on remote systems. Looking for Kerberos Service Ticket requests using the legacy RC4 encryption mechanism could represent the second stage of a Golden Ticket attack. RC4 usage should be rare on a modern network since Windows Vista & Windows Server 2008 and newer support AES Kerberos encryption. |
Lateral Movement - TA0008
Remote Code Execution
Once adversaries gain a foothold within an enterprise, they will seek to expand their access by leveraging techniques that facilitate lateral movement and remote code execution. Irrespective of the used technique (WMI, WinRM, SMB, etc), a lateral movement attack using the Kerberos protocol generates interesting events. For other detection ideas for lateral movement, make sure to visit our Active Directory Lateral Movement analytic story.
Name |
Technique ID |
Tactic |
Description |
T1078 |
Lateral Movement |
This hunting analytic leverages Event ID 4769. A Kerberos service ticket was requested to identify an unusual number of computer service ticket requests from one source. When a domain-joined endpoint connects to a remote endpoint, it first will request a Kerberos Ticket with the computer name as the Service Name. An endpoint requesting a large number of computer service tickets for different endpoints could represent malicious behavior like lateral movement, malware staging, reconnaissance, etc. |
OverPass The Hash
Once adversaries compromise a Windows system with the highest privileges, they are able to dump credentials from memory to obtain clear text or hashed passwords. OverPass The Hash is a technique by which an attacker, who has obtained NTLM hash passwords, is able to authenticate to the Key Distribution Center using this hash and receive a valid Kerberos ticket (TGT) on behalf of the compromised user. This ticket can then be used to consume Kerberos-based services in the network.
Name |
Technique ID |
Tactic |
Description |
T1550 |
Lateral Movement |
This analytic identifies a process performing an outbound connection on port 88 used by default by the network authentication protocol Kerberos. Typically, on a regular Windows endpoint, only the lsass.exe process is the one tasked with connecting to the Kerberos Distribution Center to obtain Kerberos tickets. Identifying an unknown process using this protocol may be evidence of an adversary abusing the Kerberos protocol. |
|
T1550 |
Lateral Movement |
This analytic leverages Event 4768. A Kerberos authentication ticket (TGT) was requested to identify a TGT request with encryption type 0x17, or RC4-HMAC. This encryption type is no longer utilized by newer systems and could represent evidence of an OverPass The Hash attack. Leveraging this attack, an adversary who has stolen the NTLM hash of a valid domain account can authenticate to the Kerberos Distribution Center (KDC) on behalf of the legitimate account and obtain a Kerberos TGT ticket. Depending on the privileges of the compromised account, this ticket may be used to obtain unauthorized access to systems and other network resources. |
Pass The Ticket
Adversaries who have obtained system privileges on a Windows host are able to export the valid Kerberos Ticket Granting Tickets as well as Kerberos Service Tickets that reside in memory. In the scenario that a high-privileged account has an active session on the compromised host, tickets can be dumped and reused to consume services and resources on the network in a similar way to the Pass The Hash NTLM attack.
Name |
Technique ID |
Tactic |
Description |
T1550.003 |
Lateral Movement |
This analytic looks for the use of Mimikatz command line parameters leveraged to execute pass the ticket attacks. Red teams and adversaries alike may use the Pass the Ticket technique using stolen Kerberos tickets to move laterally within an environment, bypassing normal system access controls. |
|
T1550.003 |
Lateral Movement |
This analytic looks for a process accessing the winlogon.exe system process. The Splunk Threat Research team identified this behavior when using the Rubeus tool to monitor for and export Kerberos tickets from memory. Before being able to export tickets. Rubeus will try to escalate privileges to SYSTEM by obtaining a handle to winlogon.exe before trying to monitor for Kerberos tickets. Exporting tickets from memory is typically the first step of passing the ticket attacks. |
|
T1550.003 |
Lateral Movement |
This analytic looks for the use of Rubeus command-line arguments utilized in common Kerberos attacks like exporting and importing tickets, forging silver and golden tickets, requesting a TGT or TGS, Kerberoasting, password spraying, etc. |
Privilege Escalation - TA0004
SamAccountName Spoofing & Domain Controller Impersonation
On November 9, 2021, Microsoft released patches to address two vulnerabilities that affect Windows Active Directory domain controllers: sAMAccountName Spoofing (CVE-2021–42278) and Domain Controller Impersonation (CVE-2021–42287). These vulnerabilities allow an adversary with access to low-privileged domain user credentials to obtain a Kerberos Service Ticket for a Domain Controller computer account. This effectively allows a regular domain user to take control of a domain controller.
Name |
Technique ID |
Tactic |
Description |
T1078.002 |
Privilege Escalation |
As part of the sAMAccountName Spoofing and Domain Controller Impersonation exploitation chain, adversaries will request and obtain a Kerberos Service Ticket (TGS) with a domain controller computer account as the Service Name. This Service Ticket can be then used to take control of the domain controller on the final part of the attack. This analytic leverages Event Id 4769, A Kerberos service ticket was requested, to identify an unusual TGS request where the Account_Name requesting the ticket matches the Service_Name field. |
|
T1078.002 |
Privilege Escalation |
As part of the sAMAccountName Spoofing and Domain Controller Impersonation exploitation chain, adversaries will need to request a Kerberos Ticket Granting Ticket (TGT) on behalf of the newly created and renamed computer account. The TGT request will be preceded by a computer account name event. This analytic leverages Event Id 4781, The name of an account was changed and event Id 4768 A Kerberos authentication ticket (TGT) was requested to correlate a sequence of events where the new computer account on event id 4781 matches the request account on event id 4768. |
Exploitation for Privilege Escalation
In June 2021, Will Schroeder and Lee Christensen released the whitepaper “Certified Pre-Owned: Abusing Active Directory Certificate Services” which described scenarios to abuse Microsoft’s PKI implementation called Active Directory Certificate Services. Combined with PetitPotam, a tool that abuses native services to coerce Windows computers to authenticate to malicious endpoints, attackers can escalate their privileges in an Active Directory network. For more information, visit this analytic story.
Name |
Technique ID |
Tactic |
Description |
T1187 |
Credential Access |
This analytic identifies Event Code 4768. A Kerberos authentication ticket (TGT) was requested successfully. This behavior has been identified to assist with detecting PetitPotam, CVE-2021-36942. Once an attacker obtains a computer certificate by abusing Active Directory Certificate Services in combination with PetitPotam, the next step would be to leverage the certificate for malicious purposes. One way of doing this is to request a Kerberos Ticket Granting Ticket using a tool like Rubeus. This request will generate a 4768 event with some unusual fields depending on the environment. This analytic will require tuning, we recommend filtering Account_Name to Domain Controllers for your environment. |
Datasets
Following the Splunk Threat Research Team’s methodology to create and test the detections released in every analytic story, we simulated all the Kerberos-based attacks in a lab environment built with the Attack Range and stored the resulting telemetry in the Attack Data project.
Defenders can leverage these datasets to build or test their detections. In this section, we present a summary table containing links to the most relevant datasets. Certain attacks point to more than one dataset as we simulate the same technique in more than one way to enhance detection resilience.
Attack |
Technique ID |
Tactic |
Dataset Link(s) |
Kerberos User Enumeration |
T1589.002 |
Discovery |
|
Kerberos Delegation Discovery |
T1018 |
Discovery |
|
Kerberos Pre-Authentication Flag Disabled |
T1558.004 |
Credential Access |
|
Kerberos Pre-Authentication Discovery |
T1558.004 |
Credential Access |
|
Kerberoasting |
T1558.003 |
Credential Access |
|
Password Spraying |
T1110.003 |
Credential Access |
|
Golden Ticket |
T1558.001 |
Credential Access |
|
Pass The Ticket |
T1078.002 |
Privilege Escalation |
|
OverPassTheHash |
T1550 |
Lateral Movement |
Learn more
You can find the latest content about security analytic stories on GitHub and in Splunkbase. Splunk Security Essentials also has all these detections available via push update.
For a full list of security content, check out the release notes on Splunk Docs.
Feedback
Any feedback or requests? Feel free to put in an issue on GitHub and we’ll follow up. Alternatively, join us on the Slack channel #security-research. Follow these instructions If you need an invitation to our Splunk user groups on Slack.
Author and Contributors
Credit to author Mauricio Velazco and collaborators Michael Haag, Patrick Bareis, Jose Hernandez, Teoderick Contreras, Eric McGinnis, Rod Soto, and Lou Stella.