Analytics Story: Active Directory Kerberos Attacks

Date: 2022-02-02 ID: 38b8cf16-8461-11ec-ade1-acde48001122 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.

Why it matters

Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc. This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Kerberos User Enumeration Gather Victim Identity Information, Email Addresses Anomaly
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts TTP
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Hunting
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material TTP
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Kerberos Service Tickets Requested Steal or Forge Kerberos Tickets, Kerberoasting Anomaly
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying, Brute Force TTP
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying, Brute Force TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Kerberos Service Ticket Request Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView SPN Discovery Steal or Forge Kerberos Tickets, Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying, Brute Force Anomaly
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying, Brute Force Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4627 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4738 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4741 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4771 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4781 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1