Reconnaissance
Kerberos Account Scan
Detection overview
The Kerberos Account Scan detection identifies attempts to query the Kerberos authentication service for valid user accounts. This activity is often a precursor to credential harvesting attacks, such as Kerberoasting, where attackers aim to extract Kerberos tickets for offline brute-force attacks or dictionary attacks to crack passwords.
Triggers
- A Kerberos client attempts a suspicious amount of authentication requests using a large number of user accounts with many of them failing as a result of non-existent accounts
Possible Root Causes
- The internal Kerberos client is part of targeted attack which aims to spread horizontally within the network by first discovering the existence of user accounts and then stealing the account’s credentials or Kerberos tickets
- A client is initiating a large number of authentication attempts with many of them failing
Business Impact
- An account scan to a Kerberos or Active Directory server is an effective way for an attacker to determine what accounts are available inside an organization’s network
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
- Inquire whether the host should be utilizing the user accounts listed in the detection
- Verify that the host on which authentication is attempted is not a shared resource as this could generate a sufficient variety of authentications to resemble an account scan
Kerberos Account Scan
Possible root causes
Malicious Detection
- An attacker attempting to enumerate user accounts and SPNs to perform offline password cracking attacks.
- Malware or tools, such as Kerberoasting scripts, actively querying the Kerberos service to extract ticket-granting service (TGS) tickets.
- Compromised internal host being used to perform reconnaissance on the Kerberos authentication service.
Benign Detection
- Network administrators performing legitimate security audits or password strength assessments.
- Security tools or penetration testing activities simulating Kerberos account scanning.
- Misconfigured applications or scripts generating high volumes of Kerberos requests.
Kerberos Account Scan
Example scenarios
Scenario 1: An internal host generates a high volume of Kerberos TGS-REQs targeting various SPNs. Investigation reveals that the host is compromised, and the attacker is attempting to gather Kerberos tickets for offline password cracking.
Scenario 2: A spike in Kerberos Pre-authentication failures is detected, originating from an IP address associated with a network security assessment. Verification with the IT department confirms that the activity is part of a scheduled security test.
Kerberos Account Scan
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Credential Compromise
Successful enumeration and extraction of Kerberos tickets can lead to the compromise of user credentials and unauthorized access to sensitive data.
Increased Risk of Lateral Movement
Attackers can use compromised credentials to move laterally within the network, escalating privileges and accessing critical resources.
Operational Disruption
Unauthorized scanning and enumeration of accounts can trigger account lockouts, disrupting legitimate access and affecting business operations.
Kerberos Account Scan
Steps to investigate
Review Kerberos Logs
Examine Kerberos authentication logs for patterns of high-volume requests, pre-authentication failures, and TGS-REQ activities. Focus on identifying the source of the scan.
Identify the Source
Determine the internal host or external entity generating the Kerberos account scan traffic. Verify if the host and user are authorized to perform such actions.
Check for Associated Activity
Look for other signs of compromise or related suspicious behavior, such as unusual login attempts, malware alerts, or unauthorized access attempts.
Consult with IT and Security Teams
Confirm if any authorized security assessments, penetration tests, or administrative tasks could explain the detected Kerberos scanning activity.
Kerberos Account Scan
MITRE ATT&CK techniques covered
Kerberos Account Scan
Related detections
FAQs
What is a Kerberos Account Scan?
A Kerberos Account Scan involves querying the Kerberos authentication service for valid user accounts and Service Principal Names (SPNs), often used by attackers to gather information for credential harvesting attacks.
What are the common signs of a Kerberos Account Scan?
Common signs include high volumes of Kerberos ticket requests, multiple pre-authentication failures, and successful authentication attempts following repeated failures.
Can legitimate software trigger this detection?
Yes, legitimate security audits, penetration testing activities, and misconfigured applications can generate behavior resembling Kerberos account scanning.
How does Vectra AI identify Kerberos Account Scans?
Vectra AI uses advanced AI algorithms and machine learning to analyze Kerberos traffic patterns and identify anomalies indicative of account scanning activities.
What is the business impact of a Kerberos Account Scan?
It can lead to credential compromise, increased risk of lateral movement, and operational disruption due to unauthorized access and potential data breaches.
How can I detect a Kerberos Account Scan in my network?
Detect Kerberos Account Scans by monitoring for high volumes of Kerberos TGS-REQs, unusual pre-authentication failures, and scanning patterns across multiple domains or services.
Why are Kerberos Account Scans a significant threat?
They can lead to the compromise of user credentials, increased risk of lateral movement, and operational disruption due to account lockouts and unauthorized access.
What steps should I take if I detect a Kerberos Account Scan?
Investigate the source and scope of the scan activity, check for signs of compromise, review Kerberos logs, and consult with IT and security teams to verify if the activity is legitimate.
What tools can help verify the presence of a Kerberos Account Scan?
Tools such as Kerberos authentication logs, SIEM solutions, and network traffic analysis can help verify and investigate suspicious Kerberos account scan activities.
What should I look for in the logs to identify Kerberos Account Scans?
Look for patterns such as high volumes of TGS-REQs, repeated pre-authentication failures, and successful requests following numerous failures. Focus on unusual activity from specific hosts or user accounts.