CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
Last updated
Overview
Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.
How the attack works
The phases an attacker typically follows to carry out this attack.
- Step 1Explore
[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
- An adversary purchases breached Kerberos service account username/password combinations or leaked hashed passwords from the dark web.
- An adversary guesses the credentials to a weak Kerberos service account.
- An adversary conducts a sniffing attack to steal Kerberos tickets as they are transmitted.
- An adversary conducts a Kerberoasting attack.
- Step 2Experiment
[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.
- Manually or automatically enter each Kerberos service account credential through the target's interface.
- Attempt a Pass the Ticket attack.
- Step 3Exploit
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
- Step 4Exploit
[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
- Step 5Exploit
[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
What the attacker needs
Prerequisites
- The system/application leverages Kerberos authentication.
- The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.
- The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.
- The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.
- The targeted network allows for network sniffing attacks to succeed.
Skills required
- Low skill: Once an adversary obtains a known Kerberos credential, leveraging it is trivial.
Resources required
- A valid Kerberos ticket or a known Kerberos service account credential.
Consequences
What a successful CAPEC-652 attack can achieve.
Gain Privileges
Affects: Confidentiality, Access Control, Authentication
Read Data
Affects: Confidentiality, Authorization
Modify Data
Affects: Integrity
How to mitigate it
Defenses that reduce the risk of CAPEC-652.
- Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.
- Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.
- Do not reuse Kerberos service account credentials across systems.
- Deny remote use of Kerberos service account credentials to log into domain systems.
- Do not allow Kerberos service accounts to be a local administrator on more than one system.
- Enable at least AES Kerberos encryption for tickets.
- Monitor system and domain logs for abnormal credential access.
How to detect it
Indicators that this attack may be underway.
- Authentication attempts use expired or invalid credentials.
- Authentication attempts are originating from IP addresses or locations that are inconsistent with an account's normal IP addresses or locations.
- Data is being transferred and/or removed from systems/applications within the network.
- Suspicious or Malicious software is downloaded/installed on systems within the domain.
- Messages from a legitimate user appear to contain suspicious links or communications not consistent with the user's normal behavior.
Examples
Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]
PowerSploit's Invoke-Kerberoast module can be leveraged to request Ticket Granting Service (TGS) tickets and return crackable ticket hashes. [REF-585] [REF-586]
Terminology & mappings
Mapped taxonomies
- ATTACK: Steal or Forge Kerberos Tickets (1558)
Frequently asked questions
Common questions about CAPEC-652.
- What is CAPEC-652?
- An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
- How does a Use of Known Kerberos Credentials attack work?
- It typically unfolds over 5 phases. It begins with: [Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
- How do you prevent CAPEC-652?
- Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.
- What weaknesses does CAPEC-652 target?
- CAPEC-652 exploits 9 CWE weaknesses, including CWE-262 (Not Using Password Aging), CWE-263 (Password Aging with Long Expiration), CWE-294 (Authentication Bypass by Capture-replay), CWE-307 (Improper Restriction of Excessive Authentication Attempts).
- How severe is CAPEC-652?
- MITRE rates CAPEC-652 as High severity with medium likelihood of attack.
References
Attack-pattern data is sourced from the MITRE CAPEC catalog (v3.9). Weakness associations link to the corresponding CWE entries on RadicalNotion.AI.
Defend against CAPEC-652
Track the CVEs and weaknesses attackers exploit with this technique, with AI-written analysis and remediation guidance.