{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kerberoasting/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Security"],"_cs_severities":["high"],"_cs_tags":["kerberoasting","credential_access","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic"],"content_html":"\u003cp\u003eThis detection identifies PowerShell scripts leveraging the \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e class to request Kerberos service tickets. Attackers often use this technique to perform Kerberoasting, where they obtain service tickets for various service principal names (SPNs) and crack the associated service account passwords offline. This activity can be indicative of an attacker attempting to gain unauthorized access to sensitive resources within the network. The rule is designed to trigger on potentially malicious uses of \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e while attempting to filter out legitimate uses, such as those within Sentinel breakpoints or authorized Kerberos diagnostic scripts. Defenders should investigate any instances of this activity to determine whether it represents a genuine threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains initial access to a Windows system, potentially through phishing, compromised credentials, or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eExecution:\u003c/strong\u003e The attacker executes a PowerShell script, either interactively or via a scheduled task or other means of remote execution.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObfuscation (Optional):\u003c/strong\u003e The PowerShell script may be obfuscated to evade detection, using techniques such as Base64 encoding or string manipulation.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eTicket Request:\u003c/strong\u003e The script uses the \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e class to request Kerberos service tickets for one or more SPNs.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Collection:\u003c/strong\u003e The script collects the requested service tickets and potentially saves them to a file or transmits them over the network.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e The attacker extracts the Kerberos hashes from the collected tickets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Cracking:\u003c/strong\u003e The attacker uses tools like John the Ripper or Hashcat to crack the service account passwords offline.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation/Lateral Movement:\u003c/strong\u003e Upon successfully cracking the passwords, the attacker uses the compromised credentials to escalate privileges or move laterally within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberoasting attacks can lead to the compromise of service accounts, potentially granting attackers unauthorized access to critical systems and sensitive data. The impact can range from data breaches and financial losses to complete system compromise and disruption of business operations. The rule\u0026rsquo;s medium severity reflects the potential for significant impact if the attack succeeds.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the PowerShell script content necessary for detection, and ensure the logs are being ingested into your SIEM. Reference: \u003ca href=\"https://ela.st/powershell-logging-setup\"\u003eSetup instructions\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Kerberos Ticket Request\u0026rdquo; to your SIEM to detect suspicious use of \u003ccode\u003eKerberosRequestorSecurityToken\u003c/code\u003e in PowerShell scripts.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on reconstructing the full script content, identifying the targeted SPNs, and analyzing the process execution context to determine if the activity is malicious.\u003c/li\u003e\n\u003cli\u003eReview Windows Security event logs on domain controllers for event ID 4769, filtering for the \u003ccode\u003eTargetUserName\u003c/code\u003e associated with the alerting user to identify related Kerberos ticket requests.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-09T18:45:00Z","date_published":"2024-01-09T18:45:00Z","id":"/briefs/2024-01-09-kerberos-ticket-request/","summary":"This rule detects PowerShell scripts that request Kerberos service tickets using KerberosRequestorSecurityToken, potentially indicating Kerberoasting attacks for offline password cracking of service accounts.","title":"PowerShell Kerberos Ticket Request via KerberosRequestorSecurityToken","url":"https://feed.craftedsignal.io/briefs/2024-01-09-kerberos-ticket-request/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Corretto JDK","UEM Proxy Server","UEM Core","dbeaver.exe","Docker","Chrome","Internet Explorer","PyCharm Community Edition","Firefox","VirtualBox","Puppet","nexpose","Silverfort AD Adapter","Nessus","VMware View","Advanced Port Scanner","DesktopCentral Agent","LanGuard","SAP BusinessObjects","SuperScan","ZSATunnel"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","lateral-movement","windows"],"_cs_type":"threat","_cs_vendors":["Elastic","SentinelOne","Amazon","BlackBerry","DBeaver","Docker","Google","Microsoft","JetBrains","Mozilla","Oracle","Puppet Labs","Rapid7","Silverfort","Tenable","VMware","GFI","SAP","Zscaler"],"content_html":"\u003cp\u003eThis detection identifies unusual processes initiating network connections to the standard Kerberos port (88) on Windows systems. Typically, the \u003ccode\u003elsass.exe\u003c/code\u003e process handles Kerberos traffic on domain-joined hosts. The rule aims to detect processes other than \u003ccode\u003elsass.exe\u003c/code\u003e communicating with the Kerberos port, which could indicate malicious activity such as Kerberoasting (T1558.003) or Pass-the-Ticket (T1550.003). The detection is designed to work with data from Elastic Defend and SentinelOne Cloud Funnel. This can help security teams identify potential credential access attempts and lateral movement within the network.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker compromises a user account or system within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a malicious binary or script (e.g., PowerShell) on the compromised system.\u003c/li\u003e\n\u003cli\u003eThe malicious process attempts to request Kerberos service tickets (TGS) for various services within the domain. This is done by connecting to the Kerberos port (88) on a domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker uses tools like \u003ccode\u003eRubeus\u003c/code\u003e or \u003ccode\u003eKerberoast.ps1\u003c/code\u003e to enumerate and request TGS tickets.\u003c/li\u003e\n\u003cli\u003eThe unusual process (not \u003ccode\u003elsass.exe\u003c/code\u003e) sends Kerberos traffic to the domain controller.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the Kerberos tickets from memory or network traffic.\u003c/li\u003e\n\u003cli\u003eThe attacker cracks the offline TGS tickets to obtain service account passwords (Kerberoasting).\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised service account credentials to move laterally within the network or access sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberoasting or Pass-the-Ticket attack can lead to unauthorized access to sensitive resources and lateral movement within the network. Attackers can compromise service accounts with elevated privileges, potentially leading to domain-wide compromise. Detection of this behavior can prevent attackers from gaining access to critical assets. While the exact number of victims and sectors targeted are unknown, this technique is widely used by various threat actors in targeted attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Kerberos Traffic from Unusual Process\u0026rdquo; Sigma rule to your SIEM and tune for your environment. Enable network connection logging to capture the necessary traffic.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the process execution chain and potential malicious binaries.\u003c/li\u003e\n\u003cli\u003eReview event ID 4769 for suspicious ticket requests as mentioned in the rule\u0026rsquo;s documentation.\u003c/li\u003e\n\u003cli\u003eExamine host services for suspicious entries as outlined in the original Elastic detection rule using Osquery.\u003c/li\u003e\n\u003cli\u003eMonitor for processes connecting to port 88, filtering out legitimate Kerberos clients like \u003ccode\u003elsass.exe\u003c/code\u003e, using the \u0026ldquo;Detect Kerberos Traffic from Non-Standard Process\u0026rdquo; Sigma rule.\u003c/li\u003e\n\u003cli\u003eInvestigate processes identified by the rule and compare them to the list of legitimate processes to identify unauthorized connections to the Kerberos port.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T14:00:00Z","date_published":"2024-01-03T14:00:00Z","id":"/briefs/2024-01-03-kerberoasting-unusual-process/","summary":"Detects network connections to the standard Kerberos port from an unusual process other than lsass.exe, potentially indicating Kerberoasting or Pass-the-Ticket activity on Windows systems.","title":"Kerberos Traffic from Unusual Process","url":"https://feed.craftedsignal.io/briefs/2024-01-03-kerberoasting-unusual-process/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["kerberoasting","credential-access","windows","spn"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection rule identifies modifications to the \u003ccode\u003eservicePrincipalName\u003c/code\u003e (SPN) attribute of user accounts within Active Directory. Attackers can exploit write privileges over a user account to configure SPNs, enabling them to perform Kerberoasting attacks. While administrators may configure SPNs legitimately, this exposes the account to potential abuse. The risk arises because user-defined passwords are often less complex than machine account passwords, making them vulnerable to cracking. The rule focuses on identifying when a user account is at increased risk due to SPN modifications, indicating potential Kerberoasting vulnerabilities. The original Elastic rule was published on 2022-02-22 and last updated on 2026-05-04.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a system with a user account that possesses write privileges to other user accounts within Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies a target user account for which they want to perform Kerberoasting.\u003c/li\u003e\n\u003cli\u003eThe attacker modifies the \u003ccode\u003eservicePrincipalName\u003c/code\u003e attribute of the target user account using tools like \u003ccode\u003eSetSPN.exe\u003c/code\u003e or PowerShell.\u003c/li\u003e\n\u003cli\u003eA Kerberos client requests a ticket-granting service (TGS) ticket for the modified SPN.\u003c/li\u003e\n\u003cli\u003eThe domain controller encrypts the TGS ticket with the secret key (NTLM hash) of the target user account.\u003c/li\u003e\n\u003cli\u003eThe attacker extracts the encrypted TGS ticket from network traffic or the Kerberos client cache.\u003c/li\u003e\n\u003cli\u003eThe attacker performs offline password cracking on the extracted TGS ticket to recover the plaintext password of the target user account using tools like Hashcat or John the Ripper.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the compromised credentials to gain unauthorized access to resources or perform lateral movement within the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberoasting attacks can compromise user account credentials, potentially leading to unauthorized access to sensitive resources and lateral movement within the network. If privileged accounts are compromised, attackers can gain control over critical systems and data, leading to data breaches, system disruptions, and financial losses. The number of victims depends on the permissions of the compromised account and the scope of the attacker\u0026rsquo;s access.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable and monitor \u0026ldquo;Audit Directory Service Changes\u0026rdquo; in Windows Security Event Logs to generate the events required for the detection rule (reference: \u003ca href=\"https://ela.st/audit-directory-service-changes\"\u003ehttps://ela.st/audit-directory-service-changes\u003c/a\u003e).\u003c/li\u003e\n\u003cli\u003eDeploy the \u0026ldquo;User account exposed to Kerberoasting\u0026rdquo; Sigma rule to your SIEM and tune it based on your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on identifying the user account that performed the SPN modification and whether the modification was legitimate (reference: Sigma rule).\u003c/li\u003e\n\u003cli\u003eImplement Group Managed Service Accounts (gMSA) for services running under user accounts to ensure strong and automatically rotated passwords (reference: \u003ca href=\"https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview\"\u003ehttps://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview\u003c/a\u003e).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-02T12:00:00Z","date_published":"2024-01-02T12:00:00Z","id":"/briefs/2024-01-kerberoasting-spn-modified/","summary":"Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.","title":"User Account ServicePrincipalName Attribute Modified","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberoasting-spn-modified/"}],"language":"en","title":"CraftedSignal Threat Feed — Kerberoasting","version":"https://jsonfeed.org/version/1.1"}