https://feed.craftedsignal.io/tags/spn/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 26 Jan 2024 12:00:00 +0000https://feed.craftedsignal.io/briefs/2024-01-kerberos-coercion-dns/Fri, 26 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kerberos-coercion-dns/Adversaries may abuse MicrosoftDNS records containing a base64-encoded blob to coerce victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services, detected via directory-service access events.This detection identifies potential Kerberos coercion attempts via DNS-based SPN spoofing on Windows systems. The technique abuses MicrosoftDNS records, specifically looking for directory-service access or creation events (event codes 4662 and 5137) involving a MicrosoftDNS record that contains a base64-encoded blob matching the pattern “UWhRCA…BAAAA”. This blob pattern corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure, a known indicator of DNS-based SPN spoofing used in Kerberos coercion tradecraft. The goal is to detect adversaries coercing victim systems into authenticating to attacker-controlled hosts while requesting Kerberos tickets for legitimate services. This activity is typically observed within Windows Security Event Logs.

Attack Chain

1. The adversary gains initial access to a system with privileges to modify DNS records in Active Directory.
2. The attacker creates a new MicrosoftDNS record or modifies an existing one.
3. Within the DNS record, specifically in the AdditionalInfo or ObjectDN attributes, the attacker inserts a base64-encoded blob matching the pattern “UWhRCA…BAAAA”. This blob contains a marshaled CREDENTIAL_TARGET_INFORMATION structure.
4. The attacker configures the DNS record to point to an attacker-controlled host. This involves manipulating the record’s name and associated IP address.
5. The attacker triggers a victim system to resolve the manipulated DNS record, causing the victim to attempt Kerberos authentication with the attacker-controlled host, believing it to be a legitimate service.
6. The attacker intercepts the Kerberos authentication request.
7. The attacker relays the Kerberos ticket to a legitimate service, impersonating the victim system.
8. The attacker gains unauthorized access to the legitimate service using the relayed Kerberos ticket.

Impact

Successful Kerberos coercion can grant attackers unauthorized access to critical systems and services within the Active Directory domain. This may lead to privilege escalation, lateral movement, data exfiltration, and other malicious activities. The scope of impact depends on the permissions and access rights of the coerced victim system and the targeted services.

Recommendation

• Enable “Audit Directory Service Access” and “Audit Directory Service Changes” Windows audit policies to ensure relevant events are logged (Setup section).
• Deploy the Sigma rules provided in this brief to your SIEM to detect potential Kerberos coercion attempts via DNS-based SPN spoofing. Tune the rules based on your environment and known legitimate activity.
• Investigate any alerts generated by the Sigma rules, focusing on the associated user accounts, systems, and modified DNS records (rule titles).
• Restrict access to modify DNS records in Active Directory to only authorized personnel and systems to prevent unauthorized manipulation (Overview section).
• Monitor Windows Security authentication events for any suspicious Kerberos activity following the modification of DNS records (Attack Chain steps 5-8).

]]>highadvisorykerberoscoerciondnsspnspoofingcredential-accesshttps://feed.craftedsignal.io/briefs/2024-01-kerberoasting-spn-modified/Tue, 02 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-kerberoasting-spn-modified/Detection of modifications to the servicePrincipalName attribute on user accounts, potentially exposing them to Kerberoasting attacks by allowing attackers to request Kerberos tickets for the account.This detection rule identifies modifications to the servicePrincipalName (SPN) attribute of user accounts within Active Directory. Attackers can exploit write privileges over a user account to configure SPNs, enabling them to perform Kerberoasting attacks. While administrators may configure SPNs legitimately, this exposes the account to potential abuse. The risk arises because user-defined passwords are often less complex than machine account passwords, making them vulnerable to cracking. The rule focuses on identifying when a user account is at increased risk due to SPN modifications, indicating potential Kerberoasting vulnerabilities. The original Elastic rule was published on 2022-02-22 and last updated on 2026-05-04.

Attack Chain

1. An attacker gains initial access to a system with a user account that possesses write privileges to other user accounts within Active Directory.
2. The attacker identifies a target user account for which they want to perform Kerberoasting.
3. The attacker modifies the servicePrincipalName attribute of the target user account using tools like SetSPN.exe or PowerShell.
4. A Kerberos client requests a ticket-granting service (TGS) ticket for the modified SPN.
5. The domain controller encrypts the TGS ticket with the secret key (NTLM hash) of the target user account.
6. The attacker extracts the encrypted TGS ticket from network traffic or the Kerberos client cache.
7. The attacker performs offline password cracking on the extracted TGS ticket to recover the plaintext password of the target user account using tools like Hashcat or John the Ripper.
8. The attacker uses the compromised credentials to gain unauthorized access to resources or perform lateral movement within the network.

Impact

Successful Kerberoasting attacks can compromise user account credentials, potentially leading to unauthorized access to sensitive resources and lateral movement within the network. If privileged accounts are compromised, attackers can gain control over critical systems and data, leading to data breaches, system disruptions, and financial losses. The number of victims depends on the permissions of the compromised account and the scope of the attacker’s access.

Recommendation

• Enable and monitor “Audit Directory Service Changes” in Windows Security Event Logs to generate the events required for the detection rule (reference: https://ela.st/audit-directory-service-changes).
• Deploy the “User account exposed to Kerberoasting” Sigma rule to your SIEM and tune it based on your environment.
• Investigate any alerts generated by the Sigma rule, focusing on identifying the user account that performed the SPN modification and whether the modification was legitimate (reference: Sigma rule).
• Implement Group Managed Service Accounts (gMSA) for services running under user accounts to ensure strong and automatically rotated passwords (reference: https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).

]]>mediumadvisorykerberoastingcredential-accesswindowsspn