Kerberoasting Attack and Detection

Kerberoasting 

is a common attack used by malicious actors once access is gained to a organization's internal network and a domain account is compromised. Kerberoasting allows an attacker to elevate their privileges by gaining access to passwords for service accounts on the domain.



 

 

Key Points

• Using Kerberoasting  attacker extracts service account credential hashes from Active Directory for offline cracking by exploiting a combination of weak encryption and poor service account password.  

  • Kerberoasting is effective because an attacker does not require domain administrator credentials to pull off this attack and can extract service account credential hashes without sending packets to the target.

 

Detecting Kerbaroasting:

  • Event ID: 4768 (Kerberos TGS Request) The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Event ID “4769” with the vulnerable encryption RC4 “0x17” and “0x18” types in Kerberoasting and ticket option 0x40810000.

 

Elements of a Kerberoasting Attack

 

Here is how a Kerberoasting attack works in practice:

 

  • To begin with, an attacker compromises the account of a domain user. The user need not have elevated or “administrator” privileges. The attacker authenticates to the domain.
 
  • When the malicious  user is authenticated, they receive a ticket granting ticket (TGT) from the Kerberos key distribution center (KDC) that is signed by its KRBTGT service account in Active Directory.
 
  • Next, the malicious actor requests a service ticket for the service they wish to compromise. The domain controller will retrieve the permissions out of the Active Directory database and create a TGS ticket, encrypting it with the service’s password. As a result, only the service and the domain controller are capable of decrypting the ticket since those are the only two entities who share the secret.
 
  • The domain controller provides the user with the service ticket that is then presented to the service, which will decrypt it and determine whether the user has been granted permission to access the service. At this point, an attacker may extract the ticket from system memory, and crack it offline.
 
  • For password cracking, tools such as Impacket, PowerSploit and Empire contain features that automate the process: requesting service tickets and returning crackable ticket hashes in formats suitable for submission to cracking tools such as John the Ripper and Hashcat, which will pry plaintext credentials from vulnerable hashes.
 
 

 

 

Finding Golden and Silver Tickets

 

Purpose: Identify suspicious TGT (Golden) and TGS (Silver) tickets by comparing the MaxTicketAge from the domain policy to the difference in the StartTime and EndTime of the cached authentication ticket.

Data Required : Remote Access to collect susicious tickets OR

Schedule task to write possible bad tickets to application event log for log/SIEM review

Collection Considerations : Consider running local scripts and collecting the application event log rather than a scan to reduce noise See here

Analysis Techniques:Comparative time analysis of domain policy vs cached tickets

 

Identify suspicious TGT (Golden) and TGS (Silver) tickets  

 

  • Event ID: 4624 (Account Logon)
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • Event ID: 4672 (Admin Logon)
  • Account Domain is blank & should be DOMAIN.
  • Event ID: 4768 (Kerberos TGS Request)
  • The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  • The Account Domain field is blank when it should be DOMAIN
  •  The Account Domain field is DOMAIN FQDN when it should be DOMAIN.
  •  Account Name is a different account from the Security ID.

 

 

BloodHound

  • BloodHound is an Active Directory (AD) reconnaissance tool.
  • BloodHound outputs results as JSON files
  • BloodHound can collect information about the following objects (users, computers, groups, gpos)
  • BloodHound can archive collected a ZIP file
  • Hunt for Suspicious Process execution via Services.exe
  • Hunt for Suspicious Process Injection

0 comments:

Post a Comment

Twitter Facebook Favorites More