Credential Access
Kerberoasting: Weak Cipher Request
Detection overview
Kerberoasting: Cipher Downgrade is a detection aimed at identifying attempts to manipulate Kerberos encryption types to facilitate easier offline brute-forcing of service account passwords. Attackers may force the use of weaker encryption algorithms to generate Kerberos tickets that are less computationally intensive to crack.
Triggers
- A host that does not typically work with weak encryption types receives a service ticket that was signed using a weak cipher.
Possible Root Causes
- Malicious Detection: An attacker is requesting service tickets with weak encryption so that they may attempt to learn the service account’s password.
- Benign Detection: Legacy systems may still require the use of weak encryption ciphers simply because they do not support newer, more secure ciphers.
Business Impact
- Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
- Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.
Steps to Verify
- Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them.
- Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.
Kerberoasting: Weak Cipher Request
Possible root causes
Malicious Detection
- An attacker is attempting to force the use of weaker encryption algorithms for Kerberos tickets to facilitate offline brute-forcing.
- Use of tools or scripts designed to downgrade cipher types during the Kerberos authentication process.
Benign Detection
- Misconfigured applications or services requesting Kerberos tickets with outdated encryption types.
- Legacy systems that still use older Kerberos encryption standards.
Kerberoasting: Weak Cipher Request
Example scenarios
Scenario 1: An attacker exploits a misconfiguration in a legacy application to request Kerberos tickets using a weaker encryption type. The attacker then uses an offline brute-forcing tool to crack the TGS tickets and obtain plaintext passwords for service accounts.
Scenario 2: During a security assessment, the penetration testing team runs a script to downgrade Kerberos cipher types and capture TGS tickets. The detection is triggered, and the activity is verified as part of the scheduled assessment.
Kerberoasting: Weak Cipher Request
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Credential Compromise
Attackers can obtain plaintext passwords of service accounts, leading to unauthorized access.
Lateral Movement
Compromised credentials can be used for lateral movement and privilege escalation within the network.
Data Breach
Access to sensitive data and critical systems, leading to potential data exfiltration.
Kerberoasting: Weak Cipher Request
Steps to investigate
Review Encryption Requests
- Check logs for patterns of Kerberos ticket requests with downgraded encryption types.
- Identify the source IP address and user account making these requests.
Correlate with User Activity
- Verify if the user account is associated with legitimate administrative tasks.
- Look for any recent changes in user privileges or account behavior.
Examine Logs and Tools
- Review Kerberos authentication logs for anomalies.
- Check for the presence of known tools used for Kerberoasting and cipher downgrades.
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity originating from the same host or user account.
Kerberoasting: Weak Cipher Request
MITRE ATT&CK techniques covered
Kerberoasting: Weak Cipher Request
Related detections
FAQs
What is Kerberoasting?
Kerberoasting is an attack technique where attackers extract service account tickets (TGS tickets) from Active Directory, which are then brute-forced offline to obtain plaintext passwords.
How does cipher downgrade facilitate Kerberoasting?
By forcing the use of weaker encryption algorithms for Kerberos tickets, attackers can reduce the computational effort required to brute-force the TGS tickets offline.
How can I detect cipher downgrade attempts in my environment?
Look for unusual patterns in Kerberos ticket requests, especially those involving older or weaker encryption types. Monitoring tools and detection systems can help identify these anomalies.
What are the common signs of a cipher downgrade attempt?
Multiple requests for TGS tickets with downgraded encryption types from a single host or user, particularly if this deviates from normal behavior.
Why is a cipher downgrade a significant threat?
It makes Kerberos tickets easier to crack, potentially compromising service account credentials and leading to unauthorized access and privilege escalation.
Can legitimate activities trigger a cipher downgrade detection?
Yes, misconfigured applications or legacy systems using outdated encryption types can trigger this detection. It's important to verify the context of the activity.
What steps should I take if I detect a cipher downgrade attempt?
Investigate the source of the requests, verify if they are legitimate, and check for other signs of malicious activity. If necessary, take steps to secure compromised accounts and update encryption settings.
How does Vectra AI detect cipher downgrade attempts?
Vectra AI uses advanced AI algorithms to analyze Kerberos traffic and identify patterns indicative of cipher downgrade attempts, correlating these with other suspicious behaviors.
What is the business impact of a cipher downgrade?
The primary risk is credential compromise, which can lead to unauthorized access, data breaches, and significant damage to the organization.
How can I prevent cipher downgrades?
Implement strict access controls, monitor Kerberos traffic, use strong encryption algorithms, and regularly audit user activity and permissions.