CAPEC-509: Kerberoasting
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
Last updated
Overview
CAPEC-509 (Kerberoasting) is a detailed-level attack pattern catalogued by MITRE in the Common Attack Pattern Enumeration and Classification (CAPEC). It describes a recurring method attackers use to exploit software weaknesses.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
Scan for user accounts with set SPN values
- These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
- Step 2Explore
Request service tickets
- Using user account's SPN value, request other service tickets from Active Directory
- Step 3Experiment
Extract ticket and save to disk
- Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
- Step 4Exploit
Crack the encrypted ticket to harvest plain text credentials
- Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
What the attacker needs
Prerequisites
- The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
- The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
- The adversary requires a brute force tool.
Skills required
- Medium skill:
Consequences
What a successful CAPEC-509 attack can achieve.
Gain Privileges
Affects: Confidentiality
How to mitigate it
Defenses that reduce the risk of CAPEC-509.
- Monitor system and domain logs for abnormal access.
- Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.
- Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.
- Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
Examples
PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]
Terminology & mappings
Mapped taxonomies
- ATTACK: Steal or Forge Kerberos Tickets:Kerberoasting (1558.003)
Frequently asked questions
Common questions about CAPEC-509.
- What is CAPEC-509?
- Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
- How does a Kerberoasting attack work?
- It typically unfolds over 4 phases. It begins with: Scan for user accounts with set SPN values
- How do you prevent CAPEC-509?
- Monitor system and domain logs for abnormal access.
- What weaknesses does CAPEC-509 target?
- CAPEC-509 exploits 7 CWE weaknesses, including CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-294 (Authentication Bypass by Capture-replay), CWE-308 (Use of Single-factor Authentication).
- How severe is CAPEC-509?
- MITRE rates CAPEC-509 as High severity.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-509
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.