CAPEC-652: Use of Known Kerberos Credentials

Description
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
Extended Description

Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.

Severity :

High

Possibility :

Medium

Type :

Standard
Prerequisites

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • The system/application leverages Kerberos authentication.
  • The system/application uses one factor password-based authentication, SSO, and/or cloud-based authentication for Kerberos service accounts.
  • The system/application does not have a sound password policy that is being enforced for Kerberos service accounts.
  • The system/application does not implement an effective password throttling mechanism for authenticating to Kerberos service accounts.
  • The targeted network allows for network sniffing attacks to succeed.
Skills required

This table shows the other attack patterns and high level categories that are related to this attack pattern.

  • Low Once an adversary obtains a known Kerberos credential, leveraging it is trivial.
Taxonomy mappings

Mappings to ATT&CK, OWASP and other frameworks.

Resources required

A valid Kerberos ticket or a known Kerberos service account credential.

Visit http://capec.mitre.org/ for more details.

© cvefeed.io
Latest DB Update: Dec. 22, 2024 1:55