CAPEC-652

Standard Abstraction Level
Meta — Very abstract, high-level category
Standard — Specific enough to understand
Detailed — Tied to specific technique
Draft MITRE CAPEC Status
Stable — Fully reviewed and complete
Draft — Under development
Incomplete — Partially defined
Deprecated — No longer recommended
Obsolete — Replaced by another CAPEC
Likelihood: Medium Severity: High
Use of Known Kerberos Credentials

Description

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

Prerequisites

The system/application leverages Kerberos authentication.

The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.

The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.

The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.

The targeted network allows for network sniffing attacks to succeed.

Mitigations

Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.

Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.

Do not reuse Kerberos service account credentials across systems.

Deny remote use of Kerberos service account credentials to log into domain systems.

Do not allow Kerberos service accounts to be a local administrator on more than one system.

Enable at least AES Kerberos encryption for tickets.

Monitor system and domain logs for abnormal credential access.

Skills Required

[Low] Once an adversary obtains a known Kerberos credential, leveraging it is trivial.