Try in Splunk Security Cloud

Description

Monitor for activities and techniques associated with Kerberos based attacks within with Active Directory environments.

  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
  • Datamodel: Endpoint, Network_Traffic
  • Last Updated: 2022-02-02
  • Author: Mauricio Velazco, Splunk
  • ID: 38b8cf16-8461-11ec-ade1-acde48001122

Narrative

Kerberos, initially named after Cerberus, the three-headed dog in Greek mythology, is a network authentication protocol that allows computers and users to prove their identity through a trusted third-party. This trusted third-party issues Kerberos tickets using symmetric encryption to allow users access to services and network resources based on their privilege level. Kerberos is the default authentication protocol used on Windows Active Directory networks since the introduction of Windows Server 2003. With Kerberos being the backbone of Windows authentication, it is commonly abused by adversaries across the different phases of a breach including initial access, privilege escalation, defense evasion, credential access, lateral movement, etc.\ This Analytic Story groups detection use cases in which the Kerberos protocol is abused. Defenders can leverage these analytics to detect and hunt for adversaries engaging in Kerberos based attacks.

Detections

Name Technique Type
Disabled Kerberos Pre-Authentication Discovery With Get-ADUser Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Disabled Kerberos Pre-Authentication Discovery With PowerView Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberoasting spn request with RC4 encryption Steal or Forge Kerberos Tickets, Kerberoasting TTP
Kerberos Pre-Authentication Flag Disabled in UserAccountControl Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Pre-Authentication Flag Disabled with PowerShell Steal or Forge Kerberos Tickets, AS-REP Roasting TTP
Kerberos Service Ticket Request Using RC4 Encryption Steal or Forge Kerberos Tickets, Golden Ticket TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Kerberos User Enumeration Gather Victim Identity Information, Email Addresses Anomaly
Mimikatz PassTheTicket CommandLine Parameters Use Alternate Authentication Material, Pass the Ticket TTP
Multiple Users Failing To Authenticate From Host Using Kerberos Password Spraying, Brute Force Anomaly
PetitPotam Suspicious Kerberos TGT Request OS Credential Dumping TTP
Rubeus Command Line Parameters Use Alternate Authentication Material, Pass the Ticket, Steal or Forge Kerberos Tickets, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Use Alternate Authentication Material, Pass the Ticket TTP
ServicePrincipalNames Discovery with PowerShell Kerberoasting TTP
ServicePrincipalNames Discovery with SetSPN Kerberoasting TTP
Suspicious Kerberos Service Ticket Request Valid Accounts, Domain Accounts TTP
Suspicious Ticket Granting Ticket Request Valid Accounts, Domain Accounts Hunting
Unknown Process Using The Kerberos Protocol Use Alternate Authentication Material TTP
Unusual Number of Kerberos Service Tickets Requested Steal or Forge Kerberos Tickets, Kerberoasting Anomaly
Windows Computer Account Created by Computer Account Steal or Forge Kerberos Tickets TTP
Windows Computer Account Requesting Kerberos Ticket Steal or Forge Kerberos Tickets TTP
Windows Computer Account With SPN Steal or Forge Kerberos Tickets TTP
Windows Disabled Users Failing To Authenticate Kerberos Password Spraying, Brute Force Anomaly
Windows Get-AdComputer Unconstrained Delegation Discovery Remote System Discovery TTP
Windows Invalid Users Failed Authentication via Kerberos Password Spraying, Brute Force Anomaly
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows PowerView Constrained Delegation Discovery Remote System Discovery TTP
Windows PowerView Unconstrained Delegation Discovery Remote System Discovery TTP
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting

Reference

source | version: 1