DFIR Blog
  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity

Windows Forensics

Kerberos Primer and Cyber Attacks

6/5/2019

 
Picture

​Kerberos is a network authentication protocol inspired by the greek work for a a three heaed dog Cerberus. Couple of key points to remember about the protocol
  • Uses Ticket for Authentication
  • Avoid sending password over the network
  • Uses Symmetric key encryption
​

Picture
Source: ​https://docops.ca.com/ca-single-sign-on/12-8/en/configuring/policy-server-configuration/authentication-schemes/configure-kerberos-authentication

Kerberos Attacks

#Pass the ticket:
  • Pass the ticket is used to perform "lateral movement” by leveraging Kerberos Authentication System.
  • The Attacker will extract Kerberos TGT (Ticket Granting Ticket) from LSASS memory.
  • The obtained ticket is used to request Kerberos Service Ticket to get access to network.
  • Kerberos TGT Expires in 10 Hours by default 
  • Tools like Mimikatz, Rubeus are used to perform this kind of attack
    • Phase-1 is to Monitor via tools looking for 4624 Logon events
    • Once any user logs in - the tools will go & grab the ticket.

Ways to investigate Pass the ticket Attack
  • Get access to the host and analyze the logon sessions
  • Use kList command to inspect the Kerberos Tickets associated with the session
  • Looks for Kerberos tickets that do not match the user associated with the session
Basically you’ll look for all the current user login session and see corresponding tickets associated with it. If you notice any anomaly that will be indicative to suspicious activity on the host.
Countermeasures:
  • Credentials Guard is Hypervisor based isolation to restrict access to the hashes and the tickets. Watch this video - https://www.youtube.com/watch?v=urqXgBbVyWY​
  • Multi-factor Authentication (MFA) is one of the good ways to handing Pass the Ticket Attacks along the standard cybersecurity practices.
#Overpass the hash:
In overpass-the-hash, the attacker will try to capture NTLM hash for the account it wishes to compromise using tools like Mimikatz etc.
Using this command in mimikatz: 
Sekurlsa::pth /user:[USER] /domain:[DOMAIN] /ntlm:[NTLM HASH]
The NTML hash was passed into Kerberos authentication provider using RC4 Encryption

#Kerberoasting:
The focus of this attack is to compromise a service account. It request a ticket for a highly privileged service account. Capture the hash for it and crack it offline.

#Golden Ticket:
This is generated with a Ticket Granting Ticket for any account with my expiration is generated.

​
Majority of the Active Directory based attacks can be detected by implementing Microsoft Advanced Threat Analytics.
https://docs.microsoft.com/en-us/advanced-threat-analytics/what-is-ata
profitcoin
4/28/2021 03:10:45 pm

FOR RECOVERY OF STOLEN BITCOIN / CRYPTOCURRENCY ,  RECOVERY OF LOST FUNDS FROM SCAMMER.  Have  you ever been a victim of a scam?  or have you lost your money to fake hackers online? I implore you to contact this trustworthy hacker and   recovery expert profitcoin.invest25@yahoo.com , I was a victim of fake people posing as  binary options and bitcoin investors,  I lost a sum of $4,000 and 2BTC from my bitcoin wallet to these fakes. It took a while before I realized they were scams and this really hurt .Then an in-law of mine heard about it and recommended to me a specialist with the address -  profitcoin.invest25@yahoo.com  .
WhatsApp: ‪+12016775078‬. He helped me recover my lost bitcoins  in less than 72hrs  and the fakes were caught and made to pay for what they did to me .if you have lost any amount to online scams and you're seeking to recover LOST FUNDS from wallet hackers, fake hackers,  online dating scams, BTC wallet hack, recovery of lost funds from fake binary investors  .Reach out to  Wizard Charles Group Hackers  to help you

Oliver Bangart
6/19/2022 03:14:00 am

We were in severe need of a loan to purchase a car for our family, but my application was denied due to my poor credit score. My credit score was 564 (Transunion), 588 (Equifax), and 591 (Experian) when I checked it. There were several bad entries. After reading so many internet reviews, I decided to go for ROOTKITS CREDIT SPECIALIST as they were highly rated. They assisted me in erasing all of the negative aspects of my life, and increasing my score to excellent across all bureaus and also created good trade lines; they completed all of this within 9 days. You can get in touch with them via:
Mail: ROOTKITSCREDITSPECIALIST@GMAIL.COM Or Mobile: +18155248116 Please remember to mention me...


Comments are closed.

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
    • Blog
    • Threat Landscape
  • Digital Forensics
    • Windows Forensics
    • Mac Forensics
    • Memory Forensics
    • Forensic Resources
  • Incident Response
  • CISSP
    • Domain-1
    • Domain-2
    • Domain-3
    • Domain-4
    • Domain-5
    • Domain-6
    • Domain-7
    • Domain-8
  • Contact
  • HTB
  • Productivity