Uncover gaps in your Microsoft Identity Security.
Book an identity exposure gap analysis today.
Back to all detections
Credential Access

Kerberoasting: Cipher Downgrade

Kerberoasting: Cipher Downgrade
Overview
Possible Root Causes
Example Scenarios
Business Impact
Steps to Investigate
MITRE ATT&CK Techniques
Related Detections
FAQ

Detection overview

Kerberoasting: Cipher Downgrade is a detection aimed at identifying attempts to manipulate Kerberos encryption types to facilitate easier offline brute-forcing of service account passwords. Attackers may force the use of weaker encryption algorithms to generate Kerberos tickets that are less computationally intensive to crack.

Triggers

  • A host that does not typically work with weak encryption types receives a service ticket that was signed using a weak cipher.

Possible Root Causes

  • Malicious Detection: An attacker is requesting service tickets with weak encryption so that they may attempt to learn the service account’s password.
  • Benign Detection: Legacy systems may still require the use of weak encryption ciphers simply because they do not support newer, more secure ciphers.

Business Impact

  • Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
  • Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

  • Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them.
  • Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.
Kerberoasting: Cipher Downgrade

Possible root causes

Malicious Detection

  • An attacker is attempting to force the use of weaker encryption algorithms for Kerberos tickets to facilitate offline brute-forcing.
  • Use of tools or scripts designed to downgrade cipher types during the Kerberos authentication process.

Benign Detection

  • Misconfigured applications or services requesting Kerberos tickets with outdated encryption types.
  • Legacy systems that still use older Kerberos encryption standards.
Kerberoasting: Cipher Downgrade

Example scenarios

Scenario 1: An attacker exploits a misconfiguration in a legacy application to request Kerberos tickets using a weaker encryption type. The attacker then uses an offline brute-forcing tool to crack the TGS tickets and obtain plaintext passwords for service accounts.

Scenario 2: During a security assessment, the penetration testing team runs a script to downgrade Kerberos cipher types and capture TGS tickets. The detection is triggered, and the activity is verified as part of the scheduled assessment.

Kerberoasting: Cipher Downgrade

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Credential Compromise

Attackers can obtain plaintext passwords of service accounts, leading to unauthorized access.

Lateral Movement

Compromised credentials can be used for lateral movement and privilege escalation within the network.

Data Breach

Access to sensitive data and critical systems, leading to potential data exfiltration.

Kerberoasting: Cipher Downgrade

Steps to investigate

Review Encryption Requests

  • Check logs for patterns of Kerberos ticket requests with downgraded encryption types.
  • Identify the source IP address and user account making these requests.

Correlate with User Activity

  • Verify if the user account is associated with legitimate administrative tasks.
  • Look for any recent changes in user privileges or account behavior.

Examine Logs and Tools

  • Review Kerberos authentication logs for anomalies.
  • Check for the presence of known tools used for Kerberoasting and cipher downgrades.

Conduct a Threat Hunt

  • Search for other indicators of compromise or malicious activity originating from the same host or user account.
Kerberoasting: Cipher Downgrade

MITRE ATT&CK techniques covered

Steal or Forge Kerberos Tickets

T1558

Network Sniffing

T1040
Kerberoasting: Cipher Downgrade

Related detections

Kerberos Account Scan

Kerberos Brute-Sweep

Kerberoasting: SPN Sweep

See our detections in action

Our interactive demo provides a deep dive into the advanced capabilities of our cybersecurity platform, showcasing real-time detection, comprehensive analysis, and proactive threat mitigation.

Don't just read about the possibilities – experience them.

Launch the free tour
Ask for a custom demo

FAQs

What is Kerberoasting?

Kerberoasting is an attack technique where attackers extract service account tickets (TGS tickets) from Active Directory, which are then brute-forced offline to obtain plaintext passwords.

How can I detect cipher downgrade attempts in my environment?

Look for unusual patterns in Kerberos ticket requests, especially those involving older or weaker encryption types. Monitoring tools and detection systems can help identify these anomalies.

Why is a cipher downgrade a significant threat?

It makes Kerberos tickets easier to crack, potentially compromising service account credentials and leading to unauthorized access and privilege escalation.

What steps should I take if I detect a cipher downgrade attempt?

Investigate the source of the requests, verify if they are legitimate, and check for other signs of malicious activity. If necessary, take steps to secure compromised accounts and update encryption settings.

What is the business impact of a cipher downgrade?

The primary risk is credential compromise, which can lead to unauthorized access, data breaches, and significant damage to the organization.

How does cipher downgrade facilitate Kerberoasting?

By forcing the use of weaker encryption algorithms for Kerberos tickets, attackers can reduce the computational effort required to brute-force the TGS tickets offline.

What are the common signs of a cipher downgrade attempt?

Multiple requests for TGS tickets with downgraded encryption types from a single host or user, particularly if this deviates from normal behavior.

Can legitimate activities trigger a cipher downgrade detection?

Yes, misconfigured applications or legacy systems using outdated encryption types can trigger this detection. It's important to verify the context of the activity.

How does Vectra AI detect cipher downgrade attempts?

Vectra AI uses advanced AI algorithms to analyze Kerberos traffic and identify patterns indicative of cipher downgrade attempts, correlating these with other suspicious behaviors.

How can I prevent cipher downgrades?

Implement strict access controls, monitor Kerberos traffic, use strong encryption algorithms, and regularly audit user activity and permissions.