Kerberoasting Attack

Kerberoasting: What is it All About?

Kerberos is a Windows-compatible protocol authorizing network-based devices/applications/users. With its service, it’s possible to govern network resource access and guarantee that only authorized professionals are acquiring access.

Kerberoasting Is where cyberpunks plan to use specialized tools to break into the encrypted Kerberos tickets so that they can learn what’s hidden behind the protection.

Once encryption is interpreted, cyberpunks manage to gain access to shielded network resources or data they are saving.

For beginners, service accounts are specific accounts useful for isolating domain accounts from common ones with the intention of keeping the former type of account restricted. Most security-concerned businesses use them to make sure important data is not frequently accessed, resulting in high vulnerability probabilities. 

The access rights to these accounts are mostly granted to high-privileged personnel, and these accounts also have upgraded permissions. Kerberos authentication is mostly applied to such accounts. Hackers, willing to gain root-level access to AD domains, have to gain full control over verified managed accounts. 

This is a post-exploitation attack method often involving brute force techniques. Once the cyberpunk manages to get hold of the plaintext password, s/he is able to access actual accounts. 

Kerberos Authentication Protocol

It uses tickets that promote devices/users authentication without traversing plaintext passwords. The tickets are additionally exhaustively encrypted via a secret key whose access rights are retained by the server managing access denial/approval for concerned users. Anyone willing to access protocol-protected network assets has to have a hold over the secret key, to begin with.

‍

Why are Kerberos Attacks so Common?

The reason why these attacks continue to rise and provoke severe damage is that the majority of security approaches have no provision for monitoring verified activities. 

Companies often think that as they have applied authentication and promoted robust password usage, service accounts are protected. Hence, there is hardly any cybersecurity tactic applied beyond authentication, and detecting Kerberoasting becomes tough.

As the attack succeeds and the ticket key is retrieved seamlessly, there are no more hurdles between hackers and network-side resources. They will be able to gain lateral entry to the secret keys and steal mission-critical information.

Next behind the increased number of Kerberos attacks is the wider-level usage of Windows networks. Windows networks are most commonly seen as hackers know that they have a wide scope with this attack.

Lastly, as the protocol is mainly used in enterprise-level networks, threat actors know that they will be able to access heavy-weight information if the access is granted.

‍

How Does Kerberoasting Work?

A highly strategic approach works behind the Kerberaosting that involves the below-mentioned steps.

• Decoding account authentication

The first stage of the attack is to bypass the authentication imposed by the attack. Hackers start obtaining crucial permissions so that they can have access to tickets. To make this happen, they generally exploit the access and login details of a verified user.

Once this is done, threat actors will have a smooth entry to the network resources without letting anyone, including the actual account owner, perform permitted activities. This is one of the most common methods that allow hackers to steal the credentials of concerned accounts.

• Obtaining service ticket

Another crucial workflow of the attack is obtaining service tickets in bulk and using them to decode the respective passwords. A pre-verified Kerberos ticket-granting ticket or TGT is abused in the process.

At times, hackers also use network traffic sniffing techniques to access TGT.

• Cracking the password

Often, hackers directly acquire the ticket by exploiting the access rights or log in details of verified users. Upon obtaining these tickets, they now move to the next stage of a Kerberoasting attack which is decoding the password. For this, they require a specialized tool to eliminate encryption.  

• Escalation attack impact

As passwords are cracked, bad actors start penetrating deeper into the targeted resource. Depending upon their aim, they can steal mission-critical data, change crucial settings, or even install malware to worsen the attack. It's commonly seen in this attack that cyberpunks exploit the SPNs with the help of AD PowerShell. SQL remains their priority.

Kerberoasting Attack Example

As mentioned above, Kerberoasting attacks are prevailing and are commonly seen. Below mentioned are the two most famous examples of this attack.

1. Solorigate

Solorigate backdoor attack is a famous Kerberoasting attack wherein threat actors were successful to access TGS tickets for the AD SPNs. Multiple businesses were affected as a result of this attack. Kerberoasting was one of many techniques that threat actors used to shape the attack.

2. Wocao

During Wocao operations, bad actors exploited the Invoke-Kerberoast module of PowerSploit and were able to access the encrypted tickets and passwords of linked Windows Service accounts while they were offline. Hackers are then able to access the managed account. 

‍

Kerberoasting and Mimikatz  

Conducting a successful Kerberoasting attack demands more than skills and expertise. Hackers need advanced tools, and Mimikatz is one of them. Designed to pull mission-critical data for a given device, it eases down password extraction. 

Using it, threat actors obtain service tickets and decipher the associated passwords. It automates multiple workflows and reduces the efforts that one might have to invest while extracting authentication tickets. However, it does not always help attackers.  Enterprises also use it to check the authenticity of existing security systems by conducting controlled attacks.

‍

Detecting and Mitigating Kerberoasting

Considering the fact that this attack takes place after applying a security practice, detecting it seems a little difficult. However, this should be an excuse as this is a serious threat to network resources and has the potential to cause serious damage.

In this part of the post, we’re going to learn about recommended Kerberoasting detection techniques and how their impact can be fully or partially controlled.

1. Identity Security Strategy

One of the most novel detection techniques, identity security aims to recognize the early-stage identity infrastructure risks. It mainly works to control the possibilities of a Kerberoasting attack on Active Directory.

An inventive Identity Security tool is of great help in spotting the identity settings that make an Active Directory vulnerable. When combined with the practice of using robust passwords, this technique makes service ticket obtaining tasks a little more tedious.

Users are also recommended to implement other standardized security measures like using network monitoring and MFA to enhance the viability of identity security settings. With MFA, more than one login process is used to protect the account. Hackers have to bypass multiple security layers to reach the main account, while network monitoring ensures that no risky activity goes undetected for long. 

2. Proactive threat hunting

Speaking of effective detection of Kerberoasting attacks, using threat hunting works great as this approach helps security professionals to detect the presence of account security compromising. With threat hunting, one can sense the account compromise and implement strategies to prevent it.

It’s an efficacious way to recognize any suspicious activity in and around the Kerberos protocol. For instance, it can mark access requests per service ticket or password-cracking attempts. When implemented correctly, this can detect a Kerberoasting attack in its initiation stage and prevent it from blooming.

3. Endpoint protection

Endpoint protection is an extensive security approach that involves multiple device protection, encryption, port protection, firewall, and many other tactics that are used for protecting the endpoints. Here are a few recommendations in this regard.

• When it comes to using a strong password for service accounts, make sure that the password has more than 25 characters and is a combination of numbers, alphabets, and special characters.
• Don’t continue using one password for very long, The ideal practice is to keep on changing once a year.  
• Using gMSAs or group-managed service accounts helps in its mitigation as these accounts offer password management facilities. Administrators don’t have to manage or remember credentials for different accounts, saving time and effort.
• Use a better version for encryption for service accounts. As per MITRE ATT&CK, AES Kerberos encryption is better than RC4 due to its decoding difficulty. RC4 is weak encryption and is still in use for many network devices. AES was launched way later as hacking encryption. Later, Microsoft started using the AES hack for encrypting the Kerberos tickets and you’re recommended to use it instantly. One can activate this encryption from the account section.
• Adopt best privilege account management to make sure that access rights of any service accounts are not overexploited. Organizations are recommended to modify the permissions for privileged accounts like root and SYSTEM accounts, remove users from local accounts, prevent users to access or create tickets, and not use domain admin accounts to use every day or leave them unattended.
• Microsoft offers Azure Advanced Threat Protection or Azure ATP as an advanced threat protection tool to control these attacks. The tool is of great help here because it can detect suspicious activities at an early stage, can leverage threat intelligence across the cloud, provide accurate threat information, and even help admins to manage and protect Active Directory-related identities and credentials. It’s a great endpoint protection platform because it can monitor various network entry points in one go, saving time and effort. It can effectively integrate with Windows Defender Advanced Threat Protection and provide all-inclusive endpoint protection.

4. Deception

Deception is an established cyber defense approach wherein a copy of real assets is used to decoy or divert the attention of cybercriminals. These copies are used as bait so that hackers start working on them and don’t aim at the worthy resources.

One can use this practice to detect and prevent Kerberoasting attacks. For this, they are recommended to create fake user accounts with minor loopholes that hackers consider as a vulnerability.  

These accounts are then kept under continuous monitoring so that non-permitted activities, involving service tickets, are spotted early. However, it is not recommended to solely back upon deception technology for effective detection as it may not work in all cases. Hence, combining it with other advanced technologies is highly recommended.

‍

Kerberos Security Policy Options And Recommendations for Organizations

With the implementation of the right kind of security policies, the possibility of a Kerberoast attack can be contained to a great extent. Windows offer specific security policies that one can access from Computer >Configuration>Windows Settings>Security> Settings>Account Policies>Kerberos Policy. There is a certain setting recommendation for default Kerberoast attack protection.

• Apply user login boundaries - Make sure that this policy setting is always ‘Enabled’ as a disabled policy setting will allow threat actors to access session tickets.
• ‍Set the right service ticket limitation - The policy allows one to predefine the number of minutes that one is allowed to access using a session ticket. Organizations need to make sure that this limit is too much. The ideal limit is 600 minutes. This limit can contain user access and prevent disabled accounts from accessing service tickets.
• ‍The lifetime limit for user tickets - This policy also allows enterprises to define the hours during which users are allowed to obtain TGT or ticket-granting tickets. This limit is measured in hours and should be in control to reduce the possibilities of Kerberoasting.

The expert-recommended limit here is 10 hours. This ensures that users are not logon for long which further increases the attack possibilities.

• User ticket renewal lifetime value - In the setting, you will find the ‘Maximum lifetime for user ticket renewal’ policy that is responsible for pre-defining the user’s TGT validity. The ideal practice for this policy is to set 7 days as the maximum limit. If this value is too high, hackers can manage to renew outdated tickets and use them against legitimate users.
• ‍Set 5 minutes as maximum tolerance value - In Kerberoasting settings, users can define the tolerance time difference limit between the user’s clock and domain controller time under the ‘Maximum tolerance for computer clock synchronization’ policy setting. The specialist recommendation in this regard is 5 minutes as a high difference works to increase the attack possibilities.

Conclusion

Service accounts, as they are used to access resources of high importance, need best-in-class protection and user access practices. Any leniency on this front can cause serious security risks, and the Kerberoasting attack is one of them.  

Practices like identity security, MFA, endpoint platforms, and many more that we discussed in the post can help enterprises to prevent login credential stealing and exploitation of service tickets. Combine all of them or pick that sounds best in your case and start enjoying advanced Kerberoasting protection.