CAPEC-652: Use of Known Kerberos Credentials

Description

An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.

Extended Description

Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.

Severity :

High

Possibility :

Medium

Type :

Standard

Relationships with other CAPECs

This table shows the other attack patterns and high level categories that are related to this attack pattern.

CAPEC-151: Identity Spoofing Identity Spoofing CAPEC-157: Sniffing Attacks Sniffing Attacks CAPEC-509: Kerberoasting Kerberoasting CAPEC-560: Use of Known Domain Credentials Use of Known Domain Credentials CAPEC-645: Use of Captured Tickets (Pass The Ticket) Use of Captured Tickets (Pass The Ticket)

Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

The system/application leverages Kerberos authentication.
The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.
The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.
The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.
The targeted network allows for network sniffing attacks to succeed.

Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

Low Once an adversary obtains a known Kerberos credential, leveraging it is trivial.

Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

ATTACK | Steal or Forge Kerberos Tickets

Resources required

A valid Kerberos ticket or a known Kerberos service account credential.

Related CWE

A Related Weakness relationship associates a weakness with this attack pattern. Each association implies a weakness that must exist for a given attack to be successful.

CWE-262: Not Using Password Aging

CWE-263: Password Aging with Long Expiration

CWE-294: Authentication Bypass by Capture-replay

CWE-307: Improper Restriction of Excessive Authentication Attempts

CWE-308: Use of Single-factor Authentication

CWE-309: Use of Password System for Primary Authentication

CWE-522: Insufficiently Protected Credentials

CWE-654: Reliance on a Single Factor in a Security Decision

CWE-836: Use of Password Hash Instead of Password for Authentication

Visit http://capec.mitre.org/ for more details.