Kerberoasting attacks are post-exploitation attack methods that allow attackers to gain access to service account passwords in plaintext and use these credentials to gain entry to other systems and assets that the service account would typically access.
Contrary to other exploits, this technique does not require access to a Domain Admin account or elevated privileges in order to work successfully, making it suitable for use by any attacker who already has access to an account.
What is a Kerberoasting attack?
Kerberoasting is a cyber attack that takes advantage of security vulnerabilities in how Kerberos authentication protocol handles Service Principal Names (SPNs) and Ticket Granting Service (TGS) tickets, using specialized tools. Attackers then leverage these encrypted tickets to extract encrypted Kerberos tickets, crack them open and gain access to sensitive information or network resources. A Kerberoasting attacker does not need to be domain administrator or possess any other special privilege; anyone can snoop on SPN values and request TGS tickets for service accounts – just snoop on SPN values and request TGS tickets –
Once an attacker obtains a valid TGS ticket, they can access Active Directory and attempt to crack password hashes offline for service accounts that they gained privilege in. This post-exploitation phase allows threat actors to gain new privileges that allow further network penetration or compromise additional systems. To safeguard themselves against these attacks, organizations should enact strong password policies for service accounts that require long, complex passwords with frequent rotation in order to hinder offline cracking efforts; additionally monitoring renewal patterns of tickets could reveal any abnormalities that indicate potential attacks.
What is the Kerberos authentication protocol?
Kerberos is an industry-standard protocol designed to secure software applications. Its support is integrated into most major computer operating systems like Windows and Apple macOS, while its central authentication server maintains user information and authenticates users against network services – this enables a single password to provide access to multiple network services without having to frequently change passwords or leave services exposed.
Kerberos stands apart from other security models by using both multi-secret keys and third-party authorization to stop hackers from intercepting passwords over unsecure networks and impersonation attacks. This provides strong identification verification while safeguarding against identity fraud.
Kerberos ticket-granting service (TGS) issues an initial ticket called TGT which contains information regarding what services the client is allowed to access and for how long. When access is requested from clients, TGS sends out an encrypted ticket called a TGT that contains permissions about what services and for how long. Target servers decrypt it using their secret key, extract an authenticator from it, and perform checks against client network addresses and ID numbers against TGT’s authenticator information – this method draws inspiration from Greek mythology as Cerberus was known as guard dog who protected underworld regions from evil forces.
Why are Kerberoasting Attacks Prevalent?
Kerberos is an effective authentication protocol; however, as with any system it can be compromised and attacked by hackers seeking unauthorized entry. They use various techniques to gain entry by accessing system resources or even by stealing password hashes from systems running Kerberos authentication protocols.
Kerberoasting is a widely used post-exploitation technique, which allows attackers to impersonate non-privileged domain users and extract service account credentials from memory even if their passwords change (provided the password hash remains unbroken). This attack method can be leveraged for privilege escalation or network movement within networks.
One effective strategy against such attacks is instituting stringent password policies for service accounts, emphasizing length and complexity, along with regular password rotation to prevent offline cracking attempts.
Honey tokens or decoy accounts equipped with SPNs should also be deployed and monitored to detect suspicious activity, providing another good way of early warning of attacks before too much damage has been done. Furthermore, since these tools don’t use malware like other solutions do and therefore go undetected by traditional cybersecurity solutions that do not analyze user activity closely enough.
How the Kerberoasting Attack Works?
Kerberos-based networks such as Active Directory use tickets to securely authenticate users without transmitting plaintext passwords across the network. When a user requests access for a service account using tickets, an encrypted ticket is sent back from a domain controller (in this case) directly to that SPN’s associated account; an attacker then decrypts this ticket and can obtain a hash of that SPN’s password hash from within it.
Once an attacker obtains SPN and service account password hashes, they can use them to gain access to additional systems and resources with new privileges – this practice is known as horizontal privilege escalation and poses a significant threat to any organization relying on Kerberos authentication protocols for authentication purposes.
Effective detection of this kind of attack requires employing multiple tactics, including security solutions that deploy and monitor honey tokens – which act as fake service accounts that act as bait for advanced attackers conducting reconnaissance in Active Directory – using honey traps that detect when these advanced attackers attempt to gain entry by sending service ticket requests, which will log as Event 4769 in Kerberos audit log.
1. Enumerate servicePrincipalNames
Kerberos attacks require several steps, with the primary one being the identification of service accounts and their Service Principal Names (SPNs) within Active Directory. Once identified, attackers can then request Ticket Granting Service tickets (TGSs) associated with that SPN which will contain encrypted TGS tickets that contain password hashes from all linked services accounts.
Credentials provide access to elevated network assets. To reduce these risks, organizations can implement best practices for service account security: setting passwords with strong encryption values, updating them regularly, using group managed service accounts (gMSAs) as the source for services accounts and monitoring for anomalous activity. In addition, advanced threat detection tools like Semperis Directory Services Protector can actively detect patterns consistent with Kerberoasting attacks to further bolster defenses against post-exploitation attacks in an AD environment – click here for more details about how Semperis can help safeguard AD environments from exploited resources!
2. Request TGS tickets & extract password hashes
Once an attacker has access to a list of privileged service accounts, they can request TGS tickets using their login-time proof-of-identity ticket and order TGSs with password hashes associated with each TGS ticket – using special software tools they can then penetrate deeper into targeted resources by stealing mission critical data, increasing privileges or installing malware.
This phase of an attack requires no elevated privileges and can be performed by any domain user. By impersonating non-privileged domain users with preset SPN values, an attacker can use TGS tickets to attempt to crack NTLM hashes and retrieve plaintext passwords – without accessing domain controllers or directory services directly.
Mitigating Kerberoasting attacks requires multifactor authentication (MFA), centralized password management and regular password changes, along with policy settings to limit how often TGS tickets can be obtained by users for a service – this policy setting can help contain Kerberoasting attacks and reduce their impact on business operations.
3. Crack the passwords offline
Kerberoasting is one of the most prevalent and dangerous attacks to enterprises, taking advantage of weak encryption and poor service account password hygiene to gain entry to network resources and steal valuable information. Once an attacker impersonating non-privileged domain users with predetermined SPN attributes requests a ticket granting service ticket (TGS), captures it, then uses various tools to crack its password hashes offline using offline tools – giving access to network resources or valuable data.
To mitigate Kerberoasting attacks, organizations should establish strong password hygiene by mandating complex, long passwords with at least 30 characters long and minimum length requirements of at least three characters long. To further decrease their likelihood, organizations can enable group managed service accounts with password management capabilities and manage them properly to reduce attack risks. While these strategies can significantly lower attack risks, their implementation can prove more challenging as most detection guidelines for post-exploitation attacks rely on domain controller logs alone as evidence of Kerberoasting activity; such an approach cannot reliably detect such attacks as it depends upon post-exploitation rather than pre-exploitation attacks in domain controller logs alone for detection – an approach unreliable in its ability to detect Kerberoasting.
4. Use new privileges to further objectives
After cracking the password for a service account, attackers can leverage it to gain entry to privileged systems and resources. For instance, their new credentials could enable them to gain entry through ticket granting services issued by Active Directory domain users with administrator privileges – such as network file servers.
Threat actors, penetration testers and red teams frequently employ this tactic in their arsenals as it allows them to access service account credentials without sending packets back and forth between authentication servers and service accounts. Furthermore, it allows attack movers to gain approval as approved users so as to move targets without raising suspicions.
To defend against Kerberoasting attacks, password hygiene best practices across your enterprise are key. Specifically, making sure all service accounts use long and complex passwords which are regularly changed as well as group managed to eliminate single points of failure is key. StrongDM can provide multi-factor authentication solutions which combine central password management with multi-factor authentication that protect Active Directory users against attacks like Kerberoasting.
Kerberoasting Attacks Aren’t Going Away Anytime Soon
Kerberoasting attacks are all too frequent and can have disastrous repercussions, but using the principle of least privilege and centralized password management, organizations can significantly decrease risk to both service accounts and users.
Threat actors use valid ticket granting service (TGS) tickets to obtain plaintext password hashes of domain user accounts in Active Directory. Once obtained, attackers work offline to crack them and gain entry to targeted systems.
Kerberoasting Attack Example
Kerberoasting attacks use the security properties of Kerberos to exploit vulnerabilities in service accounts, usually user service accounts with passwords chosen by humans rather than complex host-based computer accounts (MACHINENAME$), which have complex passwords with random 128-character combinations. User service accounts tend to use shorter, simpler passwords compared to host accounts (MACHINENAME$).
Kerberoasting attacks involve an attacker using a compromised domain user account to enumerate Service Principal Names (SPNs) associated with service accounts in order to obtain Ticket Granting Service tickets for them. Once this ticket has been acquired, an attacker can crack its associated password hash offline with software like hashcat in order to access service accounts and take further lateral movements within the network – potentially leading to multiple post-exploitation scenarios. While most organizations employ robust authentication and password policies, Kerberoasting attacks remain viable even today in many environments.
Kerberoasting Attack Detection & Prevention
Kerberoasting attacks aren’t a thing of the past and won’t go away anytime soon. These sophisticated cyber attacks exploit flaws in Kerberos authentication protocol to gain privileged access, giving hackers access to service tickets which allow them to gain unauthorised entry to critical systems and data.
Imagine that you are being allowed on a Ferris wheel ride with only your ticket allowing entry – in this instance it would be a service ticket with encrypted password hashes of accounts linked to them and any of these password hashes decrypted could lead hackers directly into taking control of these accounts and their privileges.
Many cybersecurity best practices can help to lessen these attacks, including strong password enforcement and multi-factor authentication. Also crucial: retiring outdated symmetric key encryption protocols like RC4 in favor of more secure alternatives; monitoring Active Directory can alert security teams to suspicious activities including any unusual service ticket requests or access attempts that occur;
Identity Security
No matter the efforts of security communities to deter and mitigate attacks on Kerberos authentication protocols, malicious individuals continue to find ways of exploiting flaws within these protocols to breach your perimeter and gain a foothold inside. Once inside, they then attempt to gain entry further into network resources in order to steal mission-critical data or cause havoc, thus underscoring why identity security plays an integral role in any successful cyber defense plan.
By default, Kerberos provides service tickets (TGSs) for Active Directory user accounts with service principal names (SPNs), using password hashes associated with those SPNs as keys for encryption of TGS tickets. If an attacker manages to intercept one either from memory or network traffic sniffing they could then use tools like Mimikatz to decrypt SPN NTLM plaintext password hashes using TGS tickets as the keys.
Defenders should prioritize complex service account passwords that change frequently and monitor event id 4769 (Kerberos RC4 ticket encryption) to detect suspicious activity; this non-malware detection technique has proven very successful in spotting attacks against these systems.
Threat Hunting
Detection and response tools are vital tools in stopping attacks before they cause irreparable damage, yet organizations must keep pace with evolving threat actors who constantly adapt their attack methods. To stay ahead, organizations should implement prevention technology with detection capabilities capable of monitoring changes to network configurations or traffic patterns or even anomalous behavior that may cause disruptions in operations.
Kerberoasting is a post-exploitation attack employed by hackers for persistence, privilege escalation and lateral movement within compromised systems. Attackers typically utilize the Kerberos protocol to gain password hashes for Active Directory service accounts with Service Principal Names (SPN). It has become popular with adversaries since this type of attack requires minimal online time commitment without incurring malware blockers like antivirus software.
Cracking hashes offline also allows attackers to bypass network activity or account logins and work without creating suspicious network activity or account logins. Once an attacker obtains a service ticket, they can take over an account with its associated permissions – organizations should abide by the principle of least privilege by only giving administrative privileges to a limited number of accounts.
Deception Technology
Deception technology has quickly become the go-to security solution in large enterprises as well as lean teams at mid-market organizations, helping security teams detect sophisticated attacks more easily while gathering actionable intelligence with less false positives than before and saving analysts the hassle of tracking ghosts down.
Chanakya, Sun Tzu, Genghis Khan and others used military deception tactics like misdirection, camouflage and subterfuge to conquer continents; today cyber defenses employ similar strategies of misdirection to trick adversaries into misusing resources while revealing themselves for defense to take advantage of the situation. Deception may be deployed at perimeter, endpoint, applications network infrastructure infrastructure as well as often neglected environments like ICS/SCADA/IoT and cloud environments.
Signature-based detection provides highly accurate yet threat specific alerts (for instance the propeller signature of a submarine), while deception offers more of a middle ground solution–highly accurate with wide threat coverage (like radar signals that detect all kinds of submarines). A deception deployment thus offers highly confident alerts while simultaneously decreasing attacker dwell times and giving defenders time to act before it’s too late.
Endpoint Protection Platform
The best way to prevent Kerberoasting attacks is with a comprehensive endpoint protection platform. This platform must be able to monitor the exchange of data inside and outside your network and identify unauthorized or undefined events that could threaten your business.
It should also have prevention features that stop malware, exploits, LOLBins, Macros and script-based attacks. It should also be able to detect credential-based attacks like stealing or hijacking passwords and tokens. And, it should have EDR features that allow for remote remediation and advanced threat detection.
Ensure all service accounts have strong passwords and are changed frequently. Use group managed service accounts (gMSAs) to automate password management. And, deploy deception technology to lure attackers into a honeypot and gather useful intelligence about their attack techniques.
Invest in a cloud-based EPP solution that offers continuous monitoring of your endpoints and detection based on behavioral analysis. A good solution will reduce alert fatigue by filtering out irrelevant and suspicious activity. It should also have a searchable, central UI to manage your security incidents.
How to Protect and Mitigate Kerberoasting Attacks?
As with other cyber-attacks, Kerberoasting attacks require multiple security strategies to mitigate. Organizations should follow best practices when it comes to password hygiene such as using password managers for service accounts with long, complex passwords that should be changed regularly for added protection against exploitation. They could also use Group Managed Service Accounts (gMSAs) centrally manage passwords thereby eliminating the need for domain administrators to manually manage each account’s credentials separately.
Attackers may employ different tools to break into Active Directory databases and access password hashes stored there, which they then can use to gain entry to sensitive data and resources within networks.
Kerberoasting is a post-exploitation attack used by hackers once they have gained entry to an enterprise network and are conducting reconnaissance for privilege escalation and lateral movement. Hackers impersonate valid domain-joined users, request TGS tickets associated with service principal names associated with those service principal names, capture and store it temporarily before using password cracking software such as Hashcat or John the Ripper to dump it offline later – an easier attack compared to others because no root account or system privilege is needed to perform this attack.
Kerberoasting and Mimikatz
Kerberoasting has quickly become a widely utilized attack technique by malicious actors as it provides them with access to TGS tickets (Ticket Granting Service Tickets) for an AD SPN even while offline, providing them with the means to decode passwords, exploit access rights, modify critical settings or steal sensitive data.
An attacker begins by gathering SPNs of an account with desirable privileges, such as administrator-level. Once done, they use software to extract all SPNs & associated service tickets from memory before using this data to crack password hashes of that account and access services or pivot later in the network.
Organizations looking to combat Kerberoasting should implement best practices such as providing all service accounts with lengthy, complex passwords that change regularly and using Group Managed Service Accounts (gMSAs). Furthermore, deception technology can detect suspicious activity & notify of compromised users, servers or networks; while multi-factor authentication solutions as well as network monitoring systems or malware protection can all help mitigate Kerberoasting attacks.
Kerberoasting and Golden Tickets
Enterprises looking to protect service accounts against Kerberoasting attacks should regularly review Windows event logs for signs of suspicious activity; such as multiple requests for Ticket Granting Service tickets for the same service (Event 4769). This activity could indicate an attack is underway.
Should an attacker gain a service ticket, they can use offline password cracking techniques to attempt and extract account credential hashes in order to gain entry to protected systems and gain entry via their credentials hashes. From here they may perform lateral network movement, privilege escalation or gain access to sensitive systems like databases.
Organizations can bolster their defenses against post-exploitation attacks by employing Active Directory honeypots that simulate compromised service accounts. Defenders can set traps to lure in advanced attackers and warn when they attempt to log-in or submit service ticket requests. Administrators can deploy technologies like Qomplx’s to monitor domain user accounts for signs of these attacks and trigger alerts when an account generates large TGS requests to unprotected services. Finally, administrators can implement policies limiting maximum lifetime for service tickets that limit how long an attacker can access tickets for hacking opportunities reducing hacking opportunities overall.
Kerberoasting and Silver Tickets
Kerberoasting is a post-exploitation attack that exploits vulnerabilities within Microsoft’s Kerberos protocol to harvest password hashes for domain user accounts. Once attackers have harvested them using OS credential dump or offline cracking (Kerberoasting), they can forge Kerberos Ticket Granting Service tickets and gain access to specific target services.
A silver ticket attack works similarly to its golden ticket counterpart, except it targets specific service accounts instead of domain user accounts. These service accounts often use SPN values as honeypot accounts within networks, providing attackers with valid SPN service tickets which allow them to elevate privileges by passing it along to another user account.
Detecting Silver Tickets requires organizations to monitor for abnormalities in data sent between DCs and services, specifically by reviewing service ticket description fields like Account Name, User ID and Service Name for anomalous information or any unusual patterns of renewals. Limiting how long service tickets remain active also reduces attack potential while education users on digital hygiene practices such as strong password usage can help mitigate against being an easy target of Kerberoasting attacks.
Final Thoughts
In both incidents – the FIN7 backdoor incident and APT29 Solorigate attack – cyber attacks relied upon exploiting weaknesses in Kerberos authentication to gain entry to key systems and data. By cracking passwords of service accounts to gain lateral movement within networks, attackers were able to gain entry.
Kerberoasting attacks differ from traditional cybersecurity solutions in that they do not rely on malware for attack, making it more difficult to detect. Furthermore, its offline nature allows attackers to remain undetected until triggering alerts or flagging red flags in logs.
To avoid these attacks, organizations should focus on protecting their Active Directory environments. This can include eliminating obsolete encryption protocols like RC4, upgrading TGTs to AES-256 encryption standards, and creating security policies to ensure only authorized individuals can log on using valid credentials. Monitor the activities and behavior of their approved users to detect suspicious login activity, using PowerShell queries, reporting and vulnerability analysis systems or advanced attack path management software like Bloodhound Enterprise. With such tools in hand, organizations can effectively prevent bad actors from accessing sensitive data and stealing mission-critical assets.