Analytics Story: Active Directory Kerberos Attacks

Date: 2022-02-02 ID: 38b8cf16-8461-11ec-ade1-acde48001122 Author: Mauricio Velazco, Splunk Product: Splunk Enterprise Security

Description

Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.

Why it matters

Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc. This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView AS-REP Roasting TTP
Kerberoasting spn request with RC4 encryption Kerberoasting TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl AS-REP Roasting TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell AS-REP Roasting TTP
Kerberos Service Ticket Request Using RC4 Encryption Golden Ticket TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Kerberos User Enumeration Email Addresses Anomaly
Mimikatz PassTheTicket CommandLine Parameters Pass the Ticket TTP
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping TTP
Rubeus Command Line Parameters Pass the Ticket, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Pass the Ticket TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Suspicious Kerberos Service Ticket Request Domain Accounts TTP
Suspicious Ticket Granting Ticket Request Domain Accounts Hunting
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material TTP
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Unusual Number of Kerberos Service Tickets Requested Kerberoasting Anomaly
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows Domain Admin Impersonation Indicator Steal or Forge Kerberos Tickets TTP
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos Password Spraying TTP
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos Password Spraying TTP
Windows Multiple Users Failed To Authenticate Using Kerberos Password Spraying TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Kerberos Service Ticket Request Kerberoasting TTP
Windows PowerView SPN Discovery Kerberoasting TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Process With NetExec Command Line Parameters Pass the Ticket, Kerberoasting, AS-REP Roasting TTP
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos Password Spraying Anomaly
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos Password Spraying Anomaly
Windows Unusual Count Of Users Failed To Auth Using Kerberos Password Spraying Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4624 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4627 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4738 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4741 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4771 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4781 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1