|
Naziv
|
Use of Known Kerberos Credentials
|
|
Sažetak
|
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain. Kerberos is the default authentication method for Windows domains and is utilized for numerous authentication purposes. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the Windows domain or access to any resources the service account is privileged to access, among other things. The protocol itself centers around a ticketing system that is used to request/grant access to resources and to then access the requested resources. If one of these tickets is acquired, an adversary could gain access to a specific resource; access any resource a user has privileges to access; gain access to services that use Kerberos as an authentication mechanism and generate tickets to access a particular resource and the system that hosts the resource; or generate Ticket Granting Tickets (TGTs) for any domain account within Active Directory. Kerberos credentials can be obtained by an adversary via methods such as system breaches, network sniffing attacks, and/or brute force attacks against the Kerberos service account or the hash of a service ticket. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.
|
|
Preduvjeti
|
The system/application is connected to the Windows domain and leverages Kerberos authentication.|The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.|The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.|The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.|The targeted network allows for network sniffing attacks to succeed.
|
|
Rješenja
|
['Create a strong password policy and ensure that your system enforces this policy for Kerberos service accounts.', 'Ensure Kerberos service accounts are not reusing username/password combinations for multiple systems, applications, or services.', 'Do not reuse Kerberos service account credentials across systems.', 'Deny remote use of Kerberos service account credentials to log into domain systems.', 'Do not allow Kerberos service accounts to be a local administrator on more than one system.', 'Enable at least AES Kerberos encryption for tickets.', 'Monitor system and domain logs for abnormal credential access.']
|
