What is Kerberoasting?
Kerberoasting is a password cracking attack which takes advantage of the fundamental design of Kerberos combined with modern computing techniques to gain access to accounts in active directory.
How does Kerberoasting work?
- The attacker compromises an account of a domain user and requests a ticket, which contains an encrypted password for the service account they are targeting
- The attacker then works offline using racking tools such as John the Ripper, Hashcat or others to extract the password
- Once they crack the password, they now can log into the service account to steal data, escalate privileges, set backdoors, continue lateral movement, etc.
How to detect Kerberoasting?
Using either a Forged Ticket Granting Ticket (TGT / Golden ticket) or a compromised account, the attacker can request access to a service (SPN) on the network.
This service I associated with a high privilege service account, for example a SQL service account.
The Key Distribution Centre (KDC) will issue a service ticket, which is encrypted with the public key of the Service Accounts password.
The attacker can then convert this service ticket to a hash which can be exported to Hashcat or John The Ripper and then proceed to crack the password offline.
This attack is reliant on poor password hygiene for service accounts, reuse of passwords across service accounts, non expiry of passwords for service accounts, and even non removal of old SPN entries in Active Directory.
Detecting Kerberoasting using SPN sweep
The SPN Sweep detection looks for a host requesting an unusually high volume of service principle names. This could be the result of an attacker performing reconnaissance in a domain to find favorable targets for offline password cracking.
Another possibility for authorized hosts is that a tool such as a vulnerability scanner could also be requesting large numbers of SPNs. Authorized hosts can be filtered with triage rules on the Vectra Platform. General users' hosts should also be investigated as the behavior is not typical for them.
Detecting Kerberoasting using weak cipher request
The Weak Cipher Request detection is looking for requests that use weak ciphers from hosts that do not typically work with weak encryption.
It should be noted that, in order to ensure detection as quickly as possible, this model can also fire against new hosts or hosts with no history of using weak ciphers.
While some legacy systems may still require use of weak encryption, you should investigate hosts, users and service accounts involved when weak ciphers are returned to a host that does not typically request them.
If the targeted service account's password is sufficiently complex and rotates frequently, it is likely that cracking the password will take too long to be successful and that situation may not be as critical to investigate.
Examples of Kerberoasting detections
Example of a SPN sweep
In this example, we can see that this host has requested 75 service principal names and could represent a sweep: 19 of them are high privilege, 39 are medium and 16 are low.
This is an unusually high number and since this isn't an authorized host used by my vulnerability scanner, I will investigate further.
Example of a weak cipher request
In this example, we can see that this host has been observed requesting weaker cryptographic ciphers than normal.
This was done across several different services with a variety of privilege levels.
Vectra considers all deprecated Kerberos Cipher Suites to be weak including DES and RC4 suites.
In this case, we can see that of the requested ciphers the response allowed RC4-HMAC. We should investigate this detection as well.
Other relevant Vectra Detections to detect credential abuse
Vectra has a number of other detections that also look for abuses of credentials within an environment:
- Kerberos Account Scan
- Kerberos Brute-Sweep
- Privilege Anomaly: Unusual Account on Host
- Privilege Anomaly: Unusual Host
- Privilege Anomaly: Unusual Service from Host
- Privilege Anomaly: Unusual Trio
- SMB, RPC Detections
- M365 and Azure AD Detections
It is important to remember that Vectra looks at behavior and automatically priotizes entities of interest for analysts.
Individual detections look for specific attacker behaviors and when rolled up under an entity for the analyst, it paints a very clear picture.
Vectra is able to find the attack signal that other tools miss.