The Kerberos Account Scan detection identifies attempts to query the Kerberos authentication service for valid user accounts. This activity is often a precursor to credential harvesting attacks, such as Kerberoasting, where attackers aim to extract Kerberos tickets for offline brute-force attacks or dictionary attacks to crack passwords.
Scenario 1: An internal host generates a high volume of Kerberos TGS-REQs targeting various SPNs. Investigation reveals that the host is compromised, and the attacker is attempting to gather Kerberos tickets for offline password cracking.
Scenario 2: A spike in Kerberos Pre-authentication failures is detected, originating from an IP address associated with a network security assessment. Verification with the IT department confirms that the activity is part of a scheduled security test.
If this detection indicates a genuine threat, the organization faces significant risks:
Successful enumeration and extraction of Kerberos tickets can lead to the compromise of user credentials and unauthorized access to sensitive data.
Attackers can use compromised credentials to move laterally within the network, escalating privileges and accessing critical resources.
Unauthorized scanning and enumeration of accounts can trigger account lockouts, disrupting legitimate access and affecting business operations.
Examine Kerberos authentication logs for patterns of high-volume requests, pre-authentication failures, and TGS-REQ activities. Focus on identifying the source of the scan.
Determine the internal host or external entity generating the Kerberos account scan traffic. Verify if the host and user are authorized to perform such actions.
Look for other signs of compromise or related suspicious behavior, such as unusual login attempts, malware alerts, or unauthorized access attempts.
Confirm if any authorized security assessments, penetration tests, or administrative tasks could explain the detected Kerberos scanning activity.
A Kerberos Account Scan involves querying the Kerberos authentication service for valid user accounts and Service Principal Names (SPNs), often used by attackers to gather information for credential harvesting attacks.
Common signs include high volumes of Kerberos ticket requests, multiple pre-authentication failures, and successful authentication attempts following repeated failures.
Yes, legitimate security audits, penetration testing activities, and misconfigured applications can generate behavior resembling Kerberos account scanning.
Vectra AI uses advanced AI algorithms and machine learning to analyze Kerberos traffic patterns and identify anomalies indicative of account scanning activities.
It can lead to credential compromise, increased risk of lateral movement, and operational disruption due to unauthorized access and potential data breaches.
Detect Kerberos Account Scans by monitoring for high volumes of Kerberos TGS-REQs, unusual pre-authentication failures, and scanning patterns across multiple domains or services.
They can lead to the compromise of user credentials, increased risk of lateral movement, and operational disruption due to account lockouts and unauthorized access.
Investigate the source and scope of the scan activity, check for signs of compromise, review Kerberos logs, and consult with IT and security teams to verify if the activity is legitimate.
Tools such as Kerberos authentication logs, SIEM solutions, and network traffic analysis can help verify and investigate suspicious Kerberos account scan activities.
Look for patterns such as high volumes of TGS-REQs, repeated pre-authentication failures, and successful requests following numerous failures. Focus on unusual activity from specific hosts or user accounts.