THE DFIR BLOG
Menu

Windows Forensics

Kerberos Primer and Cyber Attacks

6/5/2019

 
Picture

​Kerberos is a network authentication protocol inspired by the greek work for a a three heaed dog Cerberus. Couple of key points to remember about the protocol
  • Uses Ticket for Authentication
  • Avoid sending password over the network
  • Uses Symmetric key encryption
​
Picture
Source: ​https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication

Kerberos Attacks

#Pass the ticket:
  • Pass the ticket is used to perform "lateral movement” by leveraging Kerberos Authentication System.
  • The Attacker will extract Kerberos TGT (Ticket Granting Ticket) from LSASS memory.
  • The obtained ticket is used to request Kerberos Service Ticket to get access to network.
  • Kerberos TGT Expires in 10 Hours by default 
  • Tools like Mimikatz, Rubeus are used to perform this kind of attack
    • Phase-1 is to Monitor via tools looking for 4624 Logon events
    • Once any user logs in - the tools will go & grab the ticket.

Ways to investigate Pass the ticket Attack
  • Get access to the host and analyze the logon sessions
  • Use kList command to inspect the Kerberos Tickets associated with the session
  • Looks for Kerberos tickets that do not match the user associated with the session
Basically you’ll look for all the current user login session and see corresponding tickets associated with it. If you notice any anomaly that will be indicative to suspicious activity on the host.
Countermeasures:
  • Credentials Guard is Hypervisor based isolation to restrict access to the hashes and the tickets. Watch this video - https://www.youtube.com/watch?v=urqXgBbVyWY​
  • Multi-factor Authentication (MFA) is one of the good ways to handing Pass the Ticket Attacks along the standard cybersecurity practices.
#Overpass the hash:
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz: 
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption

#Kerberoasting:
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.

#Golden Ticket:
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.

​
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me
  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me