Kerberoasting: Cipher Downgrade is a detection aimed at identifying attempts to manipulate Kerberos encryption types to facilitate easier offline brute-forcing of service account passwords. Attackers may force the use of weaker encryption algorithms to generate Kerberos tickets that are less computationally intensive to crack.
Scenario 1: An attacker exploits a misconfiguration in a legacy application to request Kerberos tickets using a weaker encryption type. The attacker then uses an offline brute-forcing tool to crack the TGS tickets and obtain plaintext passwords for service accounts.
Scenario 2: During a security assessment, the penetration testing team runs a script to downgrade Kerberos cipher types and capture TGS tickets. The detection is triggered, and the activity is verified as part of the scheduled assessment.
If this detection indicates a genuine threat, the organization faces significant risks:
Attackers can obtain plaintext passwords of service accounts, leading to unauthorized access.
Compromised credentials can be used for lateral movement and privilege escalation within the network.
Access to sensitive data and critical systems, leading to potential data exfiltration.