Credential Access
Kerberoasting: SPN Sweep
Detection overview
Kerberoasting: SPN Sweep is a detection focused on identifying attempts to enumerate Service Principal Names (SPNs) within an Active Directory environment. Attackers use SPN sweeps to gather information about service accounts that can be targeted for Kerberoasting attacks. By requesting SPNs, attackers can obtain service account ticket-granting service (TGS) tickets, which can be brute-forced offline to reveal plaintext passwords.
Triggers
- A host is observed requesting service tickets for a high volume of SPNs.
Possible Root Causes
- Malicious Detection: An attacker is performing recon in a domain to find favorable targets for offline password cracking.
- Benign Detection: Enterprise vulnerability scanners may also submit requests for a large volume of SPNs.
Business Impact
- Specific Risk: Kerberoasting may result in the discovery of a privileged account’s password.
- Impact: Depending on the level of privilege a cracked account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.
Steps to Verify
- Investigate the host making requests for high volume of SPNs, this behavior is not typical for general users and should only be conducted by authorized hosts.
Kerberoasting: SPN Sweep
Possible root causes
Malicious Detection
- An attacker is performing reconnaissance to identify service accounts for Kerberoasting attacks.
- Use of automated tools or scripts to enumerate SPNs.
Benign Detection
- Legitimate security assessments or penetration tests.
- Administrative tasks involving bulk service account management.
Kerberoasting: SPN Sweep
Example scenarios
Scenario 1
An attacker uses a compromised user account to perform an SPN sweep. The attacker retrieves a list of service accounts and their associated SPNs. Using a tool like Rubeus, the attacker requests TGS tickets for these accounts and then proceeds to brute-force the tickets offline to obtain the plaintext passwords.
Scenario 2
During a penetration test, the security team runs a script to enumerate SPNs to identify potential targets for Kerberoasting. The detection is triggered, and the security team verifies the activity as part of the assessment.
Kerberoasting: SPN Sweep
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Credential Compromise
Attackers can obtain plaintext passwords of service accounts, which may have elevated privileges.
Lateral Movement
Compromised credentials can be used to move laterally within the network, escalating privileges.
Data Breach
Access to sensitive data and resources, leading to potential data exfiltration.
Kerberoasting: SPN Sweep
Steps to investigate
Review SPN Request Patterns
- Check the volume and frequency of SPN requests.
- Identify the source IP address and user account making the requests.
Correlate with User Activity
- Verify if the user account is associated with legitimate administrative tasks.
- Look for any recent changes in user privileges or account behavior.
Examine Logs and Tools
- Review Kerberos authentication logs.
- Check for the presence of known tools used for Kerberoasting (e.g., Rubeus, PowerView).
Conduct a Threat Hunt
- Search for other indicators of compromise or malicious activity originating from the same host or user account.
Kerberoasting: SPN Sweep
MITRE ATT&CK techniques covered
FAQs
What is Kerberoasting?
Kerberoasting is an attack technique where attackers extract service account tickets (TGS tickets) from Active Directory, which are then brute-forced offline to obtain plaintext passwords.
How can I detect an SPN sweep in my environment?
Look for unusual patterns and high volumes of SPN requests within a short period. Monitoring tools and detection systems can help identify these anomalies.
What are the common signs of an SPN sweep?
High frequency of SPN requests from a single host or user account, especially if directed towards multiple services, can indicate an SPN sweep.
Why is an SPN sweep a significant threat?
It is often a precursor to Kerberoasting, which can lead to the compromise of service account credentials, providing attackers with privileged access.
Can legitimate activities trigger an SPN sweep detection?
Yes, legitimate administrative tasks or security assessments can trigger this detection. It’s essential to verify the context of the activity.
What steps should I take if I detect an SPN sweep?
Investigate the source of the requests, verify if they are legitimate, and check for other signs of malicious activity. If necessary, take steps to secure compromised accounts.
How does Vectra AI detect SPN sweeps?
Vectra AI uses advanced AI algorithms to analyze network traffic and identify patterns indicative of SPN sweeps, correlating these with other suspicious behaviors.
What tools can help verify the presence of Kerberoasting attempts?
Tools like Kerberos authentication logs, network sniffers, and specialized Kerberos monitoring tools can help identify Kerberoasting attempts.
What is the business impact of an SPN sweep?
The primary risk is credential compromise, which can lead to unauthorized access, data breaches, and significant damage to the organization.
How can I prevent SPN sweeps?
Implement strict access controls, monitor Kerberos traffic, use strong passwords for service accounts, and regularly audit user activity and permissions.