ByteOS Network

CAPEC-509:Kerberoasting

Attack Pattern ID:509

Version:v3.9

Attack Pattern Name:Kerberoasting

Abstraction:Detailed

Status:Stable

Typical Severity:High

Details Content History Related Weaknesses Reports

▼Description

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

▼Relationships

Nature	Type	ID	Name
ChildOf	S	652	Use of Known Kerberos Credentials
CanPrecede	M	151	Identity Spoofing

Nature: ChildOf

Type: Standard

ID: 652

Name: Use of Known Kerberos Credentials

Nature: CanPrecede

Type: Meta

ID: 151

Name: Identity Spoofing

▼Execution Flow

Experiment

Extract ticket and save to disk

Technique
Certain tools like Mimikatz can extract local tickets and save them to memory/disk.

Explore

Scan for user accounts with set SPN values

Technique
These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.

Request service tickets

Technique
Using user account's SPN value, request other service tickets from Active Directory

Exploit

Crack the encrypted ticket to harvest plain text credentials

Technique
Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.

▼Prerequisites

The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.

The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).

The adversary requires a brute force tool.

▼Skills Required

Medium

▼Consequences

Scope	Likelihood	Impact	Note
Confidentiality	N/A	Gain Privileges	N/A

Scope: Confidentiality

Likelihood: N/A

Impact: Gain Privileges

Note: N/A

▼Mitigations

Monitor system and domain logs for abnormal access.

Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.

Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.

▼Example Instances

▼Related Weaknesses

ID	Name
CWE-262	Not Using Password Aging
CWE-263	Password Aging with Long Expiration
CWE-294	Authentication Bypass by Capture-replay
CWE-308	Use of Single-factor Authentication
CWE-309	Use of Password System for Primary Authentication
CWE-521	Weak Password Requirements
CWE-522	Insufficiently Protected Credentials