Credential Access

Kerberoasting: Weak Cipher Request

Kerberoasting: Weak Cipher Request

Detection overview

Kerberoasting: Cipher Downgrade is a detection aimed at identifying attempts to manipulate Kerberos encryption types to facilitate easier offline brute-forcing of service account passwords. Attackers may force the use of weaker encryption algorithms to generate Kerberos tickets that are less computationally intensive to crack.

Triggers

  • A host that does not typically work with weak encryption types receives a service ticket that was signed using a weak cipher.

Possible Root Causes

  • Malicious Detection: An attacker is requesting service tickets with weak encryption so that they may attempt to learn the service account’s password.
  • Benign Detection: Legacy systems may still require the use of weak encryption ciphers simply because they do not support newer, more secure ciphers.

Business Impact

  • Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
  • Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

  • Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them.
  • Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.
Kerberoasting: Weak Cipher Request

Possible root causes

Malicious Detection

  • An attacker is attempting to force the use of weaker encryption algorithms for Kerberos tickets to facilitate offline brute-forcing.
  • Use of tools or scripts designed to downgrade cipher types during the Kerberos authentication process.

Benign Detection

  • Misconfigured applications or services requesting Kerberos tickets with outdated encryption types.
  • Legacy systems that still use older Kerberos encryption standards.
Kerberoasting: Weak Cipher Request

Example scenarios

Scenario 1: An attacker exploits a misconfiguration in a legacy application to request Kerberos tickets using a weaker encryption type. The attacker then uses an offline brute-forcing tool to crack the TGS tickets and obtain plaintext passwords for service accounts.

Scenario 2: During a security assessment, the penetration testing team runs a script to downgrade Kerberos cipher types and capture TGS tickets. The detection is triggered, and the activity is verified as part of the scheduled assessment.

Kerberoasting: Weak Cipher Request

Business impact

If this detection indicates a genuine threat, the organization faces significant risks:

Credential Compromise

Attackers can obtain plaintext passwords of service accounts, leading to unauthorized access.

Lateral Movement

Compromised credentials can be used for lateral movement and privilege escalation within the network.

Data Breach

Access to sensitive data and critical systems, leading to potential data exfiltration.

Kerberoasting: Weak Cipher Request

Steps to investigate

Kerberoasting: Weak Cipher Request

MITRE ATT&CK techniques covered

Kerberoasting: Weak Cipher Request

Related detections

FAQs

What is Kerberoasting?

Kerberoasting is an attack technique where attackers extract service account tickets (TGS tickets) from Active Directory, which are then brute-forced offline to obtain plaintext passwords.

How can I detect cipher downgrade attempts in my environment?

Look for unusual patterns in Kerberos ticket requests, especially those involving older or weaker encryption types. Monitoring tools and detection systems can help identify these anomalies.

Why is a cipher downgrade a significant threat?

It makes Kerberos tickets easier to crack, potentially compromising service account credentials and leading to unauthorized access and privilege escalation.

What steps should I take if I detect a cipher downgrade attempt?

Investigate the source of the requests, verify if they are legitimate, and check for other signs of malicious activity. If necessary, take steps to secure compromised accounts and update encryption settings.

What is the business impact of a cipher downgrade?

The primary risk is credential compromise, which can lead to unauthorized access, data breaches, and significant damage to the organization.

How does cipher downgrade facilitate Kerberoasting?

By forcing the use of weaker encryption algorithms for Kerberos tickets, attackers can reduce the computational effort required to brute-force the TGS tickets offline.

What are the common signs of a cipher downgrade attempt?

Multiple requests for TGS tickets with downgraded encryption types from a single host or user, particularly if this deviates from normal behavior.

Can legitimate activities trigger a cipher downgrade detection?

Yes, misconfigured applications or legacy systems using outdated encryption types can trigger this detection. It's important to verify the context of the activity.

How does Vectra AI detect cipher downgrade attempts?

Vectra AI uses advanced AI algorithms to analyze Kerberos traffic and identify patterns indicative of cipher downgrade attempts, correlating these with other suspicious behaviors.

How can I prevent cipher downgrades?

Implement strict access controls, monitor Kerberos traffic, use strong encryption algorithms, and regularly audit user activity and permissions.