Detections
Analytics
Steal or Forge Kerberos Tickets: Kerberoasting
Description
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket that may be vulnerable to Brute Force.[1][2]Service principal names (SPNs) are used to uniquely identify each instance of a Windows service. To enable authentication, Kerberos requires that SPNs be associated with at least one service logon account (an account specifically tasked with running a service[3]).[4][5][6][7]Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC).[1][2] Portions of these tickets may be encrypted with the RC4 algorithm, meaning the Kerberos 5 TGS-REP etype 23 hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Active Directory | Authenticated AD user | LDAP/S(389/636) | Domain User + SPN | Plugin ID: 22-C-KERBEROS-CONFIG-ACCOUNT:R-KERB-WEAK-CONFIG-ACCOUNT | |
| Tenable Identity Exposure | Password Sync | Active Directory | Privileged AD user | RPC (135 + high ports) | User Password | Plugin ID: 50-C-PASSWORD-HASHES-ANALYSIS:R-WEAK-USER-PASSWORD |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: Steal or Forge Kerberos Tickets
Sub-Technique: Kerberoasting
Platform: Windows
Products Required: Tenable Identity Exposure
Tenable Release Date: 2022 Q2