Home > CAPEC List > CAPEC-509: Kerberoasting (Version 3.2)  

CAPEC-509: Kerberoasting

Attack Pattern ID: 509
Abstraction: Detailed
Status: Draft
Presentation Filter:
+ Description
Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.
+ Typical Severity

High

+ Relationships

The table below shows the other attack patterns and high level categories that are related to this attack pattern. These relationships are defined as ChildOf and ParentOf, and give insight to similar items that may exist at higher and lower levels of abstraction. In addition, relationships such as CanFollow, PeerOf, and CanAlsoBe are defined to show similar attack patterns that the user may want to explore.

NatureTypeIDName
ChildOfStandard Attack PatternStandard Attack Pattern - A standard level attack pattern in CAPEC is focused on a specific methodology or technique used in an attack. It is often seen as a singular piece of a fully executed attack. A standard attack pattern is meant to provide sufficient details to understand the specific technique and how it attempts to accomplish a desired goal. A standard level attack pattern is a specific type of a more abstract meta level attack pattern.560Use of Known Domain Credentials

The table below shows the views that this attack pattern belongs to and top level categories within that view.

+ Execution Flow
Explore
  1. Scan for user accounts with set SPN values
    Techniques
    These can be found via Powershell or LDAP queries, as well as enumerating startup name accounts and other means.
  2. Request service tickets
    Techniques
    Using user account's SPN value, request other service tickets from Active Directory
Experiment
  1. Extract ticket and save to disk
    Techniques
    Certain tools like Mimikatz can extract local tickets and save them to memory/disk.
Exploit
  1. Crack the encrypted ticket to harvest plain text credentials
    Techniques
    Leverage a brute force application/script on the hashed value offline until cracked. The shorter the password, the easier it is to crack.
+ Prerequisites
The adversary requires access as an authenticated user on the system. This attack pattern relates to elevating privileges.
The adversary requires use of a third-party credential harvesting tool (e.g., Mimikatz).
The adversary requires a brute force tool.
+ Skills Required
[Level: Medium]
+ Consequences

The table below specifies different individual consequences associated with the attack pattern. The Scope identifies the security property that is violated, while the Impact describes the negative technical impact that arises if an adversary succeeds in their attack. The Likelihood provides information about how likely the specific consequence is expected to be seen relative to the other consequences in the list. For example, there may be high likelihood that a pattern will be used to achieve a certain impact, but a low likelihood that it will be exploited to achieve a different impact.

ScopeImpactLikelihood
Confidentiality
Gain Privileges
+ Mitigations
Monitor system and domain logs for abnormal access.
Employ a robust password policy for service accounts. Passwords should be of adequate length and complexity, and they should expire after a period of time.
Employ the principle of least privilege: limit service accounts privileges to what is required for functionality and no more.
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
+ Taxonomy Mappings
Relevant to the ATT&CK taxonomy mapping
Entry IDEntry Name
1208Kerberoasting
+ References
[REF-559] Jeff Warren. "Extracting Service Account Passwords with Kerberoasting". 2017-05-09. <https://blog.stealthbits.com/extracting-service-account-passwords-with-kerberoasting/>.
+ Content History
Submissions
Submission DateSubmitterOrganization
2019-04-04CAPEC Content TeamThe MITRE Corporation
More information is available — Please select a different filter.
Page Last Updated or Reviewed: September 30, 2019