{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/kerberos/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","spn-spoofing","dns","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThis detection identifies a specific pattern in DNS queries indicative of Kerberos SPN spoofing, a technique used to coerce systems into authenticating to attacker-controlled hosts. The pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; represents a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers exploit this by crafting malicious DNS names to trick victim systems into requesting Kerberos tickets for legitimate services, often their own identity, but directed towards an attacker-controlled endpoint. This can lead to Kerberos relay or NTLM reflection/relay attacks, bypassing normal NTLM fallback mechanisms. The technique is associated with tools like RemoteKrbRelay and wspcoerce. This activity has been observed in various attacks targeting Windows environments where Kerberos authentication is prevalent. Defenders need to detect and mitigate this early stage of credential access.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target Windows system within the network.\u003c/li\u003e\n\u003cli\u003eThe attacker sets up a malicious server to receive coerced authentication requests.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious DNS query containing a base64-encoded blob \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; representing a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe victim system, triggered by an external factor (e.g., RPC call, scheduled task, or web request), attempts to resolve the crafted DNS name.\u003c/li\u003e\n\u003cli\u003eThe malicious DNS query is sent to the DNS server, which resolves to the attacker\u0026rsquo;s server.\u003c/li\u003e\n\u003cli\u003eThe victim system initiates a Kerberos authentication request to the attacker\u0026rsquo;s server, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s server relays the Kerberos ticket or uses NTLM reflection/relay techniques to gain unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker compromises the victim system or pivots to other systems within the network using the stolen credentials.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to credential compromise, lateral movement, and domain takeover. Victims in Active Directory environments are particularly vulnerable. The impact includes unauthorized access to sensitive data, disruption of services, and potential ransomware deployment. If the coerced service has high privileges, the attacker can gain complete control over the compromised system or even the entire domain. Organizations using Kerberos authentication are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u0026ldquo;Potential Kerberos SPN Spoofing via Suspicious DNS Query\u0026rdquo; rule to your SIEM and tune for your environment to detect malicious DNS queries.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 - DNS Query logging to provide the necessary data for detection.\u003c/li\u003e\n\u003cli\u003eInvestigate and block any DNS queries resolving to external IPs that contain the \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo; pattern.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for processes initiating DNS queries containing the suspicious pattern, specifically looking for known coercion tools.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of lateral movement if a system is compromised.\u003c/li\u003e\n\u003cli\u003eReview and harden Kerberos configurations to prevent SPN spoofing and relay attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-01T17:31:25Z","date_published":"2026-05-01T17:31:25Z","id":"/briefs/2024-10-kerberos-spn-spoofing-dns/","summary":"Detects suspicious DNS queries containing a base64-encoded blob, indicating potential Kerberos coercion attacks and SPN spoofing via DNS to coerce authentication to attacker-controlled hosts, enabling Kerberos or NTLM relay attacks.","title":"Potential Kerberos SPN Spoofing via Suspicious DNS Query","url":"https://feed.craftedsignal.io/briefs/2024-10-kerberos-spn-spoofing-dns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8,"id":"CVE-2026-27912"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","kerberos","windows","cve-2026-27912"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-27912 exposes an improper authorization flaw within the Windows Kerberos authentication protocol. This vulnerability allows an attacker who has already gained authorized access to an adjacent network to escalate their privileges. Successful exploitation of this vulnerability could lead to a complete compromise of the affected system. The vulnerability was reported to Microsoft and assigned CVE-2026-27912. Details regarding the specific Kerberos implementation flaws are still emerging, but the impact of successful exploitation is significant, potentially affecting all systems utilizing the flawed Kerberos implementation for authentication and authorization. This vulnerability highlights the importance of maintaining updated systems and promptly applying security patches.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains initial access to an adjacent network, possibly through compromised credentials or other network vulnerabilities.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages valid credentials to authenticate to a Kerberos service within the Windows domain.\u003c/li\u003e\n\u003cli\u003eThe attacker exploits the improper authorization vulnerability (CVE-2026-27912) in the Kerberos implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker requests a service ticket with modified or elevated privileges.\u003c/li\u003e\n\u003cli\u003eThe Kerberos service improperly grants the ticket with elevated privileges due to the authorization flaw.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the forged Kerberos ticket to authenticate to other services or resources within the domain.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive data or performs administrative actions.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves privilege escalation and potentially compromises the entire domain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27912 could allow an attacker to escalate privileges and gain unauthorized access to sensitive information. Given the nature of Kerberos as a central authentication service, this vulnerability has the potential to impact numerous systems within a domain. This could lead to data breaches, system compromise, and ultimately a complete loss of confidentiality, integrity, and availability of critical resources. The vulnerability has a CVSS v3.1 score of 8.0 (High).\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the security patch released by Microsoft to address CVE-2026-27912 immediately on all Windows systems (reference: \u003ca href=\"https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27912)\"\u003ehttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-27912)\u003c/a\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor Kerberos authentication logs for suspicious ticket requests or anomalies following patch deployment. (Enable Kerberos auditing on domain controllers)\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided below to detect potential exploitation attempts by monitoring for specific Kerberos events.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the scope of potential damage from an adjacent network compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-15T12:00:00Z","date_published":"2026-04-15T12:00:00Z","id":"/briefs/2026-04-kerberos-privesc/","summary":"CVE-2026-27912 describes an improper authorization vulnerability in Windows Kerberos, enabling an attacker on an adjacent network with valid credentials to elevate privileges.","title":"Windows Kerberos Improper Authorization Privilege Escalation (CVE-2026-27912)","url":"https://feed.craftedsignal.io/briefs/2026-04-kerberos-privesc/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-20929"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["kerberos","relay","adcs","cve-2026-20929","credential-access"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-20929, a vulnerability patched in January 2026, allows attackers to perform Kerberos authentication relay attacks by abusing DNS CNAME records. The attack involves manipulating DNS resolution to redirect a client\u0026rsquo;s Kerberos authentication request to an attacker-controlled server. This server then relays the authentication to Active Directory Certificate Services (AD CS) to enroll certificates on behalf of the victim user. This technique allows the attacker to gain persistent access to the domain. The vulnerability has a CVSS score of 7.5. This attack is a Kerberos-based variant of the ESC8 attack, which traditionally relies on NTLM relay. By exploiting Kerberos, the attack can bypass environments where NTLM has been disabled. The primary target is the AD CS web enrollment endpoint (/certsrv).\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe victim attempts to access a web server (e.g., web01.test.local).\u003c/li\u003e\n\u003cli\u003eA DNS query is initiated to resolve the hostname of the target web server.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the DNS query and responds with a crafted DNS response containing a CNAME record that redirects the original hostname (web01.test.local) to an attacker-controlled target (e.g., CA01.test.local), along with an A record pointing to the attacker\u0026rsquo;s IP address.\u003c/li\u003e\n\u003cli\u003eThe victim\u0026rsquo;s system accesses the attacker-controlled web server.\u003c/li\u003e\n\u003cli\u003eThe malicious web server sends a 401 HTTP response to initiate Kerberos authentication.\u003c/li\u003e\n\u003cli\u003eThe victim requests a Kerberos service ticket for HTTP/CA01.test.local from the domain controller.\u003c/li\u003e\n\u003cli\u003eThe domain controller issues a service ticket for the requested SPN.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to the AD CS web enrollment endpoint (/certsrv) to request a certificate for the victim user, thereby achieving persistent access.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-20929 allows an attacker to enroll certificates on behalf of domain users, granting them persistent access to the network. Certificates are often valid for extended periods (1+ years) and are less frequently monitored than password-based authentication. This attack can bypass controls that disable NTLM authentication, and web enrollment over HTTP prevents Channel Binding Token (CBT) protection, making AD CS web enrollment an attractive relay target. The number of potential victims depends on the number of vulnerable AD CS deployments.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for anomalous certificate-based authentication events combined with unusual AD CS service access within a short time window, as highlighted in the \u0026ldquo;CrowdStrike has developed a correlation-based detection\u0026rdquo; statement in the overview.\u003c/li\u003e\n\u003cli\u003eDisable web enrollment over HTTP to enforce Channel Binding Token (CBT) protection, mitigating the risk of successful relay attacks, as mentioned in the \u0026ldquo;Why AD CS Web Enrollment Is an Attractive Relay Target\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eReview and harden AD CS configurations based on recommendations from \u0026ldquo;Certified Pre-Owned\u0026rdquo; research to reduce the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-31T17:49:30Z","date_published":"2026-03-31T17:49:30Z","id":"/briefs/2026-04-kerberos-relay-cname/","summary":"An attacker exploits CVE-2026-20929 by manipulating DNS responses to redirect Kerberos authentication to attacker-controlled AD CS, enabling certificate enrollment for persistent access.","title":"Kerberos Authentication Relay via DNS CNAME Abuse (CVE-2026-20929)","url":"https://feed.craftedsignal.io/briefs/2026-04-kerberos-relay-cname/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["medium"],"_cs_tags":["kerberos","authentication","security-bypass"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA vulnerability exists within MIT Kerberos that allows an unauthenticated, remote attacker to bypass security mechanisms. The specific nature of the vulnerability is not detailed in this advisory, but the potential impact is significant due to Kerberos\u0026rsquo; central role in authentication and authorization. The advisory, published by the German BSI (Bundesamt für Sicherheit in der Informationstechnik), highlights the potential for attackers to gain unauthorized access or escalate privileges within a Kerberos-protected environment. Defenders should investigate available patches and mitigations to prevent exploitation.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MIT Kerberos implementation.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request to exploit the Kerberos vulnerability, likely targeting a specific service or protocol weakness.\u003c/li\u003e\n\u003cli\u003eThe malicious request bypasses authentication or authorization checks due to the vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to a Kerberos-protected resource or service.\u003c/li\u003e\n\u003cli\u003eDepending on the exploited vulnerability, the attacker may impersonate a legitimate user or service.\u003c/li\u003e\n\u003cli\u003eThe attacker performs unauthorized actions, such as accessing sensitive data or executing commands.\u003c/li\u003e\n\u003cli\u003eThe attacker escalates privileges within the Kerberos realm, potentially compromising the entire authentication infrastructure.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could lead to widespread unauthorized access and privilege escalation within Kerberos-dependent environments. The number of affected organizations is currently unknown, but the potential impact is significant due to the widespread use of Kerberos for authentication in enterprise networks. A successful attack could allow an attacker to compromise critical systems, steal sensitive data, and disrupt essential services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor Kerberos authentication logs for anomalies indicative of exploitation attempts (see generic rule below).\u003c/li\u003e\n\u003cli\u003eInvestigate and apply any available patches or workarounds released by MIT Kerberos to address the vulnerability.\u003c/li\u003e\n\u003cli\u003eReview and strengthen Kerberos configuration settings to minimize the attack surface.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of a potential Kerberos compromise.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T10:16:06Z","date_published":"2026-03-24T10:16:06Z","id":"/briefs/2024-05-mit-kerberos-bypass/","summary":"An anonymous, remote attacker can exploit a vulnerability in MIT Kerberos to bypass security measures.","title":"MIT Kerberos Security Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-05-mit-kerberos-bypass/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["kerberos","credential-access","as-rep-roasting","active-directory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the Kerberos pre-authentication requirement is disabled for a user account within an Active Directory environment. Attackers with \u003ccode\u003eGenericWrite\u003c/code\u003e or \u003ccode\u003eGenericAll\u003c/code\u003e permissions over a target account can modify the \u003ccode\u003eUserAccountControl\u003c/code\u003e attribute to disable pre-authentication. This configuration weakens the account\u0026rsquo;s security posture, making it vulnerable to AS-REP roasting attacks, where attackers can request Kerberos tickets and crack the password offline. The activity is logged as Event ID 4738 in the Windows Security Event Logs, specifically when the \u003ccode\u003eNewUACList\u003c/code\u003e includes the \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e flag. This poses a significant risk, especially if applied to privileged accounts, as it allows adversaries to potentially compromise credentials and escalate privileges within the domain. The detection is based on research and recommendations from Microsoft regarding Kerberos security best practices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an account with sufficient privileges (e.g., Domain Admin, or an account with delegated permissions) to modify user account attributes in Active Directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages their initial access to target a specific user account for which they intend to disable Kerberos pre-authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Modification:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eUserAccountControl\u003c/code\u003e attribute of the target user account, specifically disabling the \u0026ldquo;Do not require pre-authentication\u0026rdquo; setting (setting the \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e flag). This is often done using tools like \u003ccode\u003eActive Directory Users and Computers\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Logging:\u003c/strong\u003e The modification triggers a Windows Security Event Log event (Event ID 4738) on the Domain Controller, indicating that the user account attribute has been changed. The \u003ccode\u003eNewUACList\u003c/code\u003e field in the event data contains \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAS-REQ Request:\u003c/strong\u003e The attacker crafts an AS-REQ (Authentication Service Request) to the Kerberos Key Distribution Center (KDC) for the targeted user account. Since pre-authentication is disabled, the KDC processes the request without requiring pre-authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAS-REP Response:\u003c/strong\u003e The KDC issues an AS-REP (Authentication Service Response) to the attacker, containing an encrypted Ticket Granting Ticket (TGT) for the targeted user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Cracking:\u003c/strong\u003e The attacker extracts the encrypted TGT from the AS-REP response and attempts to crack it offline using password cracking tools and techniques, such as hashcat or John the Ripper.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Upon successfully cracking the TGT, the attacker obtains the plaintext password for the targeted user account. This password can then be used for lateral movement, privilege escalation, and further malicious activities within the domain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising user accounts through AS-REP roasting can have significant consequences. Attackers can gain unauthorized access to sensitive resources, escalate privileges, and move laterally within the network. Successful AS-REP roasting leads to credential compromise, which could result in data breaches, system compromise, and disruption of services. Organizations failing to monitor and prevent Kerberos pre-authentication disabling are at an increased risk of credential theft and subsequent exploitation, potentially affecting all systems within the compromised domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit User Account Management\u0026rdquo; and ensure Windows Security Event Logs (specifically Event ID 4738) are being collected and forwarded to your SIEM for analysis as described in the setup instructions linked in the rule source.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect Event ID 4738 events where the \u003ccode\u003eNewUACList\u003c/code\u003e contains \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e within your environment to identify potential AS-REP roasting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of disabled pre-authentication, especially on privileged accounts, following the triage steps outlined in the rule documentation.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by reviewing and restricting the privileges assigned to users and groups to prevent unauthorized modification of Active Directory user account attributes.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious Kerberos authentication patterns and investigate any anomalies that might indicate AS-REP roasting attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-kerberos-preauth-disabled/","summary":"Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.","title":"Kerberos Pre-authentication Disabled for User Account","url":"https://feed.craftedsignal.io/briefs/2024-01-28-kerberos-preauth-disabled/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["PowerShell"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","powershell","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis threat brief focuses on detecting PowerShell scripts designed to extract Kerberos tickets from memory. Attackers use these scripts to gain unauthorized access to credentials, which can then be leveraged for lateral movement within a network. The scripts achieve this by interacting with the Local Security Authority (LSA) and accessing Kerberos authentication packages. The observed PowerShell scripts utilize specific Kerberos ticket message types or dynamic Kerberos package lookup to enumerate and retrieve tickets. This behavior is often associated with post-exploitation activity, where attackers are attempting to escalate privileges or move laterally within a compromised environment. Defenders should monitor PowerShell activity for these patterns, as successful Kerberos ticket dumping can lead to significant security breaches. The scripts are not associated with any specific campaign or version.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system (e.g., through phishing or exploiting a vulnerability).\u003c/li\u003e\n\u003cli\u003eThe attacker executes a PowerShell script.\u003c/li\u003e\n\u003cli\u003eThe PowerShell script uses \u003ccode\u003eLsaCallAuthenticationPackage\u003c/code\u003e to interact with the LSA.\u003c/li\u003e\n\u003cli\u003eThe script attempts to retrieve Kerberos tickets by using functions like \u003ccode\u003eKerbRetrieveEncodedTicketMessage\u003c/code\u003e, \u003ccode\u003eKerbQueryTicketCacheMessage\u003c/code\u003e, \u003ccode\u003eKerbQueryTicketCacheExMessage\u003c/code\u003e, or \u003ccode\u003eKerbRetrieveTicketMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAlternatively, the script uses \u003ccode\u003eLsaLookupAuthenticationPackage\u003c/code\u003e to dynamically locate the Kerberos package.\u003c/li\u003e\n\u003cli\u003eThe script may then decrypt the ticket data using \u003ccode\u003eKerbDecryptDataMessage\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script may attempt to serialize or export the extracted tickets to a file.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the dumped Kerberos tickets to impersonate users or services, gaining unauthorized access to resources and facilitating lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to steal Kerberos tickets from memory. The attacker can then use these tickets to impersonate legitimate users or services, enabling them to move laterally within the network, access sensitive data, and potentially compromise critical systems. The impact includes unauthorized access to resources, data breaches, and potentially a complete compromise of the targeted Windows domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable PowerShell Script Block Logging to capture the malicious script content (as mentioned in the \u0026ldquo;Setup\u0026rdquo; section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;PowerShell Kerberos Ticket Dump\u0026rdquo; to detect scripts exhibiting Kerberos ticket dumping behavior.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts triggered by the Sigma rule, focusing on the reconstructed script block content and process lineage as outlined in the \u0026ldquo;Triage and analysis\u0026rdquo; section.\u003c/li\u003e\n\u003cli\u003eMonitor for file creation events related to ticket material exports (e.g., \u0026ldquo;.kirbi\u0026rdquo; files) to identify potential ticket dumping activity.\u003c/li\u003e\n\u003cli\u003eReview authentication events (event codes 4624, 4625, 4648) to identify suspicious logins originating from compromised systems.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-26-powershell-kerberos-dump/","summary":"Detection of PowerShell scripts attempting to dump Kerberos tickets from memory by accessing LSA authentication packages, potentially leading to credential access and lateral movement.","title":"PowerShell Kerberos Ticket Dumping via LSA Authentication Package Access","url":"https://feed.craftedsignal.io/briefs/2024-01-26-powershell-kerberos-dump/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["high"],"_cs_tags":["kerberos","coercion","dns","spn","spoofing","credential-access"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe adversary gains initial access to a system with privileges to modify DNS records in Active Directory.\u003c/li\u003e\n\u003cli\u003eThe attacker creates a new MicrosoftDNS record or modifies an existing one.\u003c/li\u003e\n\u003cli\u003eWithin the DNS record, specifically in the \u003ccode\u003eAdditionalInfo\u003c/code\u003e or \u003ccode\u003eObjectDN\u003c/code\u003e attributes, the attacker inserts a base64-encoded blob matching the pattern \u0026ldquo;UWhRCA\u0026hellip;BAAAA\u0026rdquo;. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.\u003c/li\u003e\n\u003cli\u003eThe attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record\u0026rsquo;s name and associated IP address.\u003c/li\u003e\n\u003cli\u003eThe attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.\u003c/li\u003e\n\u003cli\u003eThe attacker intercepts the Kerberos authentication request.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit Directory Service Access\u0026rdquo; and \u0026ldquo;Audit Directory Service Changes\u0026rdquo; Windows audit policies to ensure relevant events are logged (Setup section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).\u003c/li\u003e\n\u003cli\u003eRestrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-kerberos-coercion-dns/","summary":"Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.","title":"Potential Kerberos Coercion via DNS-Based SPN Spoofing","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberos-coercion-dns/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.8,"id":"CVE-2025-33073"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["kerberos","relay","credential_access","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThis detection identifies potential Kerberos relay attacks targeting Windows systems. The attack involves coercing a target server to authenticate to an attacker-controlled system, which then relays the authentication to another service. The initial coercion leverages commonly abused named pipes like Spoolss, netdfs, and lsarpc. By capturing and relaying the Kerberos authentication, attackers can impersonate the target server and potentially execute code with elevated privileges. This activity is often associated with lateral movement and privilege escalation within a Windows domain. The detection focuses on the sequence of events, specifically a file access event (5145) against a named pipe, followed by a Kerberos authentication event (4624/4625) originating from a different IP address. Defenders should be aware that successful exploitation may lead to full domain compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker compromises a machine within the target network.\u003c/li\u003e\n\u003cli\u003eAttacker initiates a coerced authentication attempt against a target server, triggering a file access event (Event ID 5145) on the target. This leverages a named pipe such as Spoolss, netdfs, lsarpc, lsass, netlogon, samr, efsrpc, FssagentRpc, eventlog, winreg, srvsvc, dnsserver, dhcpserver or WinsPipe.\u003c/li\u003e\n\u003cli\u003eThe target server attempts to authenticate to the attacker-controlled machine.\u003c/li\u003e\n\u003cli\u003eThe attacker relays the Kerberos authentication attempt to a service on another server, impersonating the target server.\u003c/li\u003e\n\u003cli\u003eA Kerberos authentication event (Event ID 4624 or 4625) is generated, indicating a network logon attempt using Kerberos. The account used ends with \u0026lsquo;$\u0026rsquo;, signifying a computer account.\u003c/li\u003e\n\u003cli\u003eThe source IP address of the authentication event is different from the target server\u0026rsquo;s IP address, indicating the authentication attempt originated from a different host.\u003c/li\u003e\n\u003cli\u003eIf successful (Event ID 4624), the attacker gains unauthorized access to the service on the second server, impersonating the target server\u0026rsquo;s computer account.\u003c/li\u003e\n\u003cli\u003eThe attacker executes commands or performs actions on the compromised service, potentially leading to data exfiltration, system compromise, or further lateral movement.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos relay attack can lead to a full compromise of the targeted server, potentially allowing the attacker to execute arbitrary code with SYSTEM privileges. This can result in data exfiltration, service disruption, and further lateral movement within the network. The scope of the impact depends on the privileges of the compromised computer account and the services accessible to it. Organizations that do not properly patch CVE-2025-33073 or implement SMB signing/sealing/channel binding are at higher risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Potential Kerberos Relay Attack against a Computer Account\u0026rdquo; to your SIEM to detect this activity and tune for your environment.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the Sigma rule, focusing on the sequence of events and the source IP address involved.\u003c/li\u003e\n\u003cli\u003ePatch CVE-2025-33073 on all affected Windows servers to prevent reflective Kerberos relay attacks.\u003c/li\u003e\n\u003cli\u003eEnable SMB signing or service-specific signing/sealing/channel binding on affected service tiers to mitigate relay attacks.\u003c/li\u003e\n\u003cli\u003eMonitor Windows Security Event Logs for Event ID 5145 (file access) and Event IDs 4624/4625 (authentication attempts) for suspicious activity.\u003c/li\u003e\n\u003cli\u003eRestrict coercion-prone RPC and named-pipe exposure to limit the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-kerberos-relay-via-coerced-auth/","summary":"Detects potential Kerberos relay attacks by identifying coercion attempts followed by authentication events using a target server's computer account, originating from a different host, indicating an attacker has captured and relayed Kerberos authentication material to execute code on behalf of the compromised system.","title":"Potential Kerberos Relay Attack via Coerced Authentication against a Computer Account","url":"https://feed.craftedsignal.io/briefs/2024-01-kerberos-relay-via-coerced-auth/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Defender XDR","Elastic Defend","SentinelOne Cloud Funnel"],"_cs_severities":["high"],"_cs_tags":["credential-access","kerberos","pass-the-ticket","mimikatz","rubeus"],"_cs_type":"advisory","_cs_vendors":["Microsoft","Elastic","CrowdStrike","SentinelOne"],"content_html":"\u003cp\u003eThe creation of \u003ccode\u003e.kirbi\u003c/code\u003e files on Windows systems is a strong indicator of potential Kerberos ticket theft. These files are Kerberos ticket artifacts often associated with credential dumping and Pass-The-Ticket (PTT) attacks. Tools like Mimikatz and Rubeus are commonly used to export or dump Kerberos tickets, which are then saved as \u003ccode\u003e.kirbi\u003c/code\u003e files. Defenders should monitor the creation of these files, especially in unusual locations, and investigate the associated processes to determine if malicious activity is occurring. The rule provided is designed to detect these events across multiple data sources, providing a comprehensive approach to identifying this threat.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access to a Windows system through various means, such as phishing or exploiting a vulnerability.\u003c/li\u003e\n\u003cli\u003eThe attacker executes a Kerberos ticket dumping tool, such as Mimikatz or Rubeus.\u003c/li\u003e\n\u003cli\u003eThe tool extracts Kerberos tickets from memory.\u003c/li\u003e\n\u003cli\u003eThe extracted tickets are saved to a \u003ccode\u003e.kirbi\u003c/code\u003e file on the filesystem. This file is often created in a temporary or easily accessible location.\u003c/li\u003e\n\u003cli\u003eThe attacker may rename or move the \u003ccode\u003e.kirbi\u003c/code\u003e file to evade detection or prepare it for later use.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the stolen Kerberos ticket to authenticate to other systems on the network (Pass-The-Ticket).\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to sensitive resources or data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful Kerberos ticket theft can lead to significant damage, including unauthorized access to sensitive data, lateral movement across the network, and privilege escalation. Depending on the compromised account, an attacker can potentially gain control of critical systems and data. If a domain administrator account is compromised, the entire domain could be at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eKirbi File Creation\u003c/code\u003e to your SIEM to detect the creation of \u003ccode\u003e.kirbi\u003c/code\u003e files.\u003c/li\u003e\n\u003cli\u003eEnable Sysmon FileCreate events (Event ID 11) to provide the necessary data for the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule to function effectively.\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the \u003ccode\u003eKirbi File Creation\u003c/code\u003e rule, focusing on the process that created the file, the location of the file, and any follow-on activity.\u003c/li\u003e\n\u003cli\u003eConsider blocking the execution of known Kerberos ticket dumping tools, such as Mimikatz and Rubeus.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"/briefs/2024-01-kirbi-file-creation/","summary":"Detects the creation of .kirbi files, a suspicious Kerberos ticket artifact often produced by ticket export or dumping tools such as Rubeus or Mimikatz, indicating preparation for Kerberos ticket theft or Pass-The-Ticket (PTT) attacks.","title":"Detects Kirbi File Creation","url":"https://feed.craftedsignal.io/briefs/2024-01-kirbi-file-creation/"}],"language":"en","title":"CraftedSignal Threat Feed — Kerberos","version":"https://jsonfeed.org/version/1.1"}