CAPEC-509

Detailed Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Stable MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Severity: High
Kerberoasting

Description

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

Prerequisites

The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.

The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).

The adversary requires a brute force tool.

Mitigations

Monitor system and domain logs for abnormal access.

Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.

Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.

Skills Required

[Medium]