Credential Access

Kerberoasting: Weak Cipher Request

Kerberoasting: Weak Cipher Request

Detection overview

Kerberoasting: Cipher Downgrade is a detection aimed at identifying attempts to manipulate Kerberos encryption types to facilitate easier offline brute-forcing of service account passwords. Attackers may force the use of weaker encryption algorithms to generate Kerberos tickets that are less computationally intensive to crack.

Triggers

  • A host that does not typically work with weak encryption types receives a service ticket that was signed using a weak cipher.

Possible Root Causes

  • Malicious Detection: An attacker is requesting service tickets with weak encryption so that they may attempt to learn the service account’s password.
  • Benign Detection: Legacy systems may still require the use of weak encryption ciphers simply because they do not support newer, more secure ciphers.

Business Impact

  • Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
  • Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

  • Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them.
  • Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.
Kerberoasting: Weak Cipher Request

Possible root causes

Malicious Detection

  • An attacker is attempting to force the use of weaker encryption algorithms for Kerberos tickets to facilitate offline brute-forcing.
  • Use of tools or scripts designed to downgrade cipher types during the Kerberos authentication process.

Benign Detection

  • Misconfigured applications or services requesting Kerberos tickets with outdated encryption types.
  • Legacy systems that still use older Kerberos encryption standards.
Kerberoasting: Weak Cipher Request

Example scenarios

Scenario 1: An attacker exploits a misconfiguration in a legacy application to request Kerberos tickets using a weaker encryption type. The attacker then uses an offline brute-forcing tool to crack the TGS tickets and obtain plaintext passwords for service accounts.

Scenario 2: During a security assessment, the penetration testing team runs a script to downgrade Kerberos cipher types and capture TGS tickets. The detection is triggered, and the activity is verified as part of the scheduled assessment.

Kerberoasting: Weak Cipher Request

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Credential Compromise

Attackers can obtain plaintext passwords of service accounts, leading to unauthorized access.

Lateral Movement

Compromised credentials can be used for lateral movement and privilege escalation within the network.

Data Breach

Access to sensitive data and critical systems, leading to potential data exfiltration.

Kerberoasting: Weak Cipher Request

Steps to investigate

Kerberoasting: Weak Cipher Request

MITRE ATT&CK techniques covered

Kerberoasting: Weak Cipher Request

Related detections

FAQs

What is Kerberoasting?

How does cipher downgrade facilitate Kerberoasting?

How can I detect cipher downgrade attempts in my environment?

What are the common signs of a cipher downgrade attempt?

Why is a cipher downgrade a significant threat?

Can legitimate activities trigger a cipher downgrade detection?

What steps should I take if I detect a cipher downgrade attempt?

How does Vectra AI detect cipher downgrade attempts?

What is the business impact of a cipher downgrade?

How can I prevent cipher downgrades?