CAPEC-509: Kerberoasting

Description
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
Extended Description

When impersonating an expected task, the adversary monitors the task list maintained by the operating system and waits for a specific legitimate task to become active. Once the task is detected, the malicious application launches a new task in the foreground that mimics the user interface of the legitimate task. At this point, the user thinks that they are interacting with the legitimate task that they started, but instead they are interacting with the malicious application. Once the adversary's goal is reached, the malicious application can exit, leaving the original trusted application visible and the appearance that nothing out of the ordinary has occurred.

A second approach entails the adversary impersonating an unexpected task, but one that may often be spawned by legitimate background processes. For example, an adversary may randomly impersonate a system credential prompt, implying that a background process requires authentication for some purpose. The user, believing they are interacting with a legitimate task, enters their credentials or authorizes the use of their stored credentials, which the adversary then leverages for nefarious purposes. This type of attack is most often used to obtain sensitive information (e.g., credentials) from the user, but may also be used to ride the user's privileges.

Severity :

High

Possibility :

Type :

Detailed
Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-652: Use of Known Kerberos Credentials Use of Known Kerberos Credentials
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
  • The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
  • The adversary requires a brute force tool.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Steal or Forge Kerberos Tickets:Kerberoasting
Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-262: Not Using Password Aging

CWE-263: Password Aging with Long Expiration

CWE-294: Authentication Bypass by Capture-replay

CWE-308: Use of Single-factor Authentication

CWE-309: Use of Password System for Primary Authentication

CWE-521: Weak Password Requirements

CWE-522: Insufficiently Protected Credentials

Visit http://capec.mitre.org/ for more details.