Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
Description
Attack Execution Flow
4
1
Step 1
ExploreScan for user accounts with set SPN values
These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
AI Translation
Scansiona gli account utente con valori SPN impostati
Questi possono essere individuati tramite PowerShell o query LDAP, nonché enumerando gli account di avvio e altri metodi.
Attack Techniques
-
These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
2
Step 2
ExploreRequest service tickets
Using user account's SPN value, request other service tickets from Active Directory
AI Translation
Richiedi ticket di servizio
Utilizzando il valore SPN dell'account utente, richiedi altri ticket di servizio da Active Directory
Attack Techniques
-
Using user account's SPN value, request other service tickets from Active Directory
3
Step 3
ExperimentExtract ticket and save to disk
Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
AI Translation
Estrazione del ticket e salvataggio su disco
Alcuni strumenti come Mimikatz possono estrarre i ticket locali e salvarli in memoria/disco.
Attack Techniques
-
Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
4
Step 4
ExploitCrack the encrypted ticket to harvest plain text credentials
Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
AI Translation
Decifra il ticket crittografato per ottenere le credenziali in testo semplice
Sfrutta un'applicazione/script di brute force sul valore hash offline fino a quando non viene decifrato. Più breve è la password, più facile è da decifrare.
Attack Techniques
-
Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
Mitigations
4
Employ A Robust Password Policy For Service Accounts. Passwords Should Be Of Adequate Length And Complexity, And They Should Expire After A Period Of Time.
Employ The Principle Of Least Privilege: Limit Service Accounts Privileges To What Is Required For Functionality And No More.
Enable Aes Kerberos Encryption (Or Another Stronger Encryption Algorithm), Rather Than Rc4, Where Possible.
Monitor System And Domain Logs For Abnormal Access.
Consequences
Security Scopes Affected
Confidentiality
Potential Impacts
Gain Privileges
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1558.003
Kerberoasting
Adversaries may abuse a valid Kerberos ticket-granting ticket (TGT) or sniff network traffic to obtain a ticket-granting service (TGS) ticket …