An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
Description
Attack Execution Flow
5
1
Step 1
Explore[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
An adversary guesses the credentials to a weak Kerberos service account.
An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.
An adversary conducts a Kerberoasting attack.
AI Translation
[Acquisizione di credenziali Kerberos note] L’avversario deve ottenere credenziali Kerberos note per accedere al sistema, all’applicazione o al servizio di destinazione all’interno del dominio.
Un avversario acquista combinazioni di username/password di account di servizio Kerberos compromessi o hash di password trapelati dal dark web.
Un avversario indovina le credenziali di un account di servizio Kerberos debole.
Un avversario conduce un attacco di sniffing per rubare i ticket Kerberos mentre vengono trasmessi.
Un avversario conduce un attacco di Kerberoasting.
Attack Techniques
-
An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
-
An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.IT: Un adversario acquista combinazioni di nome utente/password di account di servizio Kerberos compromessi o hash di password trapelati dal dark web.
-
An adversary guesses the credentials to a weak Kerberos service account.IT: Un adversario acquista combinazioni di nome utente/password di account di servizio Kerberos compromessi o hash di password trapelati dal dark web.
-
An adversary conducts a Kerberoasting attack.IT: Un adversario acquista combinazioni di nome utente/password di account di servizio Kerberos compromessi o hash di password trapelati dal dark web.
2
Step 2
Experiment[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.
Manually or automatically enter each Kerberos service account credential through the target's interface.
Attempt a Pass the Ticket attack.
AI Translation
[Tentativo di autenticazione Kerberos] Prova ogni credenziale Kerberos contro diverse risorse all'interno del dominio fino a ottenere l'accesso al target.
Inserisci manualmente o automaticamente ogni credenziale dell'account di servizio Kerberos tramite l'interfaccia del target.
Tentativo di attacco Pass the Ticket.
Attack Techniques
-
Manually or automatically enter each Kerberos service account credential through the target's interface.
-
Attempt a Pass the Ticket attack.IT: Inserire manualmente o automaticamente le credenziali di ogni account di servizio Kerberos tramite l'interfaccia del target.
3
Step 3
Exploit[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
AI Translation
[Impersonate] Un avversario può utilizzare esperimenti o autenticazioni riuscite per impersonare un utente o sistema autorizzato, o per muoversi lateralmente all’interno del dominio
4
Step 4
Exploit[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
AI Translation
[Spoofing] Dati dannosi possono essere iniettati nel sistema target o in altri sistemi del dominio. L'attore malevolo può anche impersonare un utente legittimo del dominio per eseguire attacchi di social engineering.
5
Step 5
Exploit[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
AI Translation
[Data Exfiltration] L'avversario può ottenere dati sensibili contenuti nei sistemi o nelle applicazioni di dominio.
Mitigations
7
Ensure Kerberos Service Accounts Are Not Reusing Username/Password Combinations For Multiple Systems, Applications, Or Services.
Deny Remote Use Of Kerberos Service Account Credentials To Log Into Domain Systems.
Enable At Least Aes Kerberos Encryption For Tickets.
Create A Strong Password Policy And Ensure That Your System Enforces This Policy For Kerberos Service Accounts.
Do Not Reuse Kerberos Service Account Credentials Across Systems.
Do Not Allow Kerberos Service Accounts To Be A Local Administrator On More Than One System.
Monitor System And Domain Logs For Abnormal Credential Access.
Consequences
Security Scopes Affected
Access Control
Authentication
Authorization
Confidentiality
Integrity
Potential Impacts
Gain Privileges
Modify Data
Read Data
Indicators
5
Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.
Authentication attempts use expired or invalid credentials.
Data is being transferred and/or removed from systems/applications within the network.
Suspicious or Malicious software is downloaded/installed on systems within the domain.
Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
Relationships
Parent CAPECs
Related ATT&CK Techniques
1
T1558
Steal or Forge Kerberos Tickets
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is …
Resources Required
1
A valid Kerberos ticket or a known Kerberos service account credential.