Triggers

  • A Kerberos client attempts a suspicious amount of authentication requests using a large number of user accounts with many of them failing as a result of non-existent accounts
  • The threat score is driven by the number of unique non-existent accounts used in authentication attempts during the scan
  • The certainty score is highest when each non-existent account is used only once and gets progressively lower the more times each non-existent account is used during the scan

Possible Root Causes

  • The internal Kerberos client is part of targeted attack which aims to spread horizontally within the network by first discovering the existence of user accounts and then stealing the account’s credentials or Kerberos tickets
  • A client is initiating a large number of authentication attempts with many of them failing

Business Impact

  • An account scan to a Kerberos or Active Directory server is an effective way for an attacker to determine what accounts are available inside an organization’s network
  • Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
  • This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection

Steps to Verify

  • Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
  • Inquire whether the host should be utilizing the user accounts listed in the detection
  • Verify that the host on which authentication is attempted is not a shared resource as this could generate a sufficient variety of authentications to resemble an account scan