Silverfort AD Adapter — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/silverfort-ad-adapter/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 03 Jan 2024 14:00:00 +0000Kerberos Traffic from Unusual Processhttps://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/Wed, 03 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.This detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the lsass.exe process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than lsass.exe communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.

Attack Chain

  1. An attacker compromises a user account or system within the domain.
  2. The attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.
  3. The malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.
  4. The attacker uses tools like Rubeus or Kerberoast.ps1 to enumerate and request TGS tickets.
  5. The unusual process (not lsass.exe) sends Kerberos traffic to the domain controller.
  6. The attacker extracts the Kerberos tickets from memory or network traffic.
  7. The attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).
  8. The attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.

Impact

A successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.

Recommendation

  • Deploy the “Kerberos Traffic from Unusual Process” Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.
  • Investigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.
  • Review event ID 4769 for suspicious ticket requests as mentioned in the rule’s documentation.
  • Examine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.
  • Monitor for processes connecting to port 88, filtering out legitimate Kerberos clients like lsass.exe, using the “Detect Kerberos Traffic from Non-Standard Process” Sigma rule.
  • Investigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.
]]>mediumthreatkerberoastingcredential-accesslateral-movementwindows