Try in Splunk Security Cloud
Description
Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Authentication, Change, Endpoint, Network_Traffic
- Last Updated: 2022-02-02
- Author: Mauricio Velazco, Splunk
- ID: 38b8cf16-8461-11ec-ade1-acde48001122
Narrative
Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.
This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.
Detections
Name |
Technique |
Type |
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Disabled Kerberos Pre-Authentication Discovery With PowerView |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Kerberoasting spn request with RC4 encryption |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Kerberos Pre-Authentication Flag Disabled in UserAccountControl |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Kerberos Pre-Authentication Flag Disabled with PowerShell |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Kerberos Service Ticket Request Using RC4 Encryption |
Steal or Forge Kerberos Tickets, Golden Ticket |
TTP |
Kerberos TGT Request Using RC4 Encryption |
Use Alternate Authentication Material |
TTP |
Kerberos User Enumeration |
Gather Victim Identity Information, Email Addresses |
Anomaly |
Mimikatz PassTheTicket CommandLine Parameters |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
PetitPotam Suspicious Kerberos TGT Request |
OS Credential Dumping |
TTP |
Rubeus Command Line Parameters |
Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting |
TTP |
Rubeus Kerberos Ticket Exports Through Winlogon Access |
Use Alternate Authentication Material, Pass the Ticket |
TTP |
ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
TTP |
ServicePrincipalNames Discovery with PowerShell |
Kerberoasting |
TTP |
ServicePrincipalNames Discovery with SetSPN |
Kerberoasting |
TTP |
Suspicious Kerberos Service Ticket Request |
Valid Accounts, Domain Accounts |
TTP |
Suspicious Ticket Granting Ticket Request |
Valid Accounts, Domain Accounts |
Hunting |
Unknown Process Using The Kerberos Protocol |
Use Alternate Authentication Material |
TTP |
Unusual Number of Computer Service Tickets Requested |
Valid Accounts |
Hunting |
Unusual Number of Kerberos Service Tickets Requested |
Steal or Forge Kerberos Tickets, Kerberoasting |
Anomaly |
Windows Computer Account Created by Computer Account |
Steal or Forge Kerberos Tickets |
TTP |
Windows Computer Account Requesting Kerberos Ticket |
Steal or Forge Kerberos Tickets |
TTP |
Windows Computer Account With SPN |
Steal or Forge Kerberos Tickets |
TTP |
Windows Domain Admin Impersonation Indicator |
Steal or Forge Kerberos Tickets |
TTP |
Windows Get-AdComputer Unconstrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows Kerberos Local Successful Logon |
Steal or Forge Kerberos Tickets |
TTP |
Windows Multiple Disabled Users Failed To Authenticate Wth Kerberos |
Password Spraying, Brute Force |
TTP |
Windows Multiple Invalid Users Fail To Authenticate Using Kerberos |
Password Spraying, Brute Force |
TTP |
Windows Multiple Users Failed To Authenticate Using Kerberos |
Password Spraying, Brute Force |
TTP |
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery Get-ADUser |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Windows PowerShell Disabled Kerberos Pre-Authentication Discovery With PowerView |
Steal or Forge Kerberos Tickets, AS-REP Roasting |
TTP |
Windows PowerView Constrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows PowerView Kerberos Service Ticket Request |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView SPN Discovery |
Steal or Forge Kerberos Tickets, Kerberoasting |
TTP |
Windows PowerView Unconstrained Delegation Discovery |
Remote System Discovery |
TTP |
Windows Unusual Count Of Disabled Users Failed Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Invalid Users Fail To Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
Windows Unusual Count Of Users Failed To Auth Using Kerberos |
Password Spraying, Brute Force |
Anomaly |
Reference
source | version: 1