Lateral movement
Kerberoasting: Targeted Weak Cipher Response
Detection overview
The "Kerberoasting: Targeted Weak Cipher Response" detection helps security teams identify scenarios where a Kerberos service ticket is issued with a weak cipher, which is atypical for the requesting host. This detection indicates potential reconnaissance or credential harvesting aimed at escalating privileges within the organization’s network.
Triggers
- A user has requested a Kerberos service ticket from the ticket granting service which has responded with a weak cipher. This service has either never responded with a weak cipher or the occurrence of this behavior is rare.
- This behavior could indicate the presence of an active attacker who is aiming to escalate privileges on the network by exploiting a weak cipher response and subsequently cracking the NTLM, AES, or RC4 hash. The objective is to obtain the password associated with the targeted service account.
Possible Root Causes
Malicious Detection
- A single ticket cipher downgrade attack may be leveraged in a targeted attack to escalate privileges to progress further into the network and ultimately achieve the goal set out by the malicious actor.
- Observing a weak cipher response from the request of a Ticket Granting Service (TGS) ticket where the service being requested has either never responded with a weak cipher or rarely responds with a weak cipher could be indicative of a malicious actor attempting to elevate privileges to progress further in carrying out their attack.
Benign Detection
- Legacy systems, which lack support for modern ciphers, may still rely on weak ciphers for their operations. In such cases, it becomes crucial to confirm all necessary patches are applied and to prioritize the security of accounts associated with these services. This involves enforcing strong and lengthy passwords for these accounts, while also adhering to regular password update schedules. Additionally, it is essential to assign minimal privileges to these accounts, ensuring they possess only the necessary permissions required for proper functioning within the organization.
Business Impact
- Specific Risk: A cipher downgrade could lead to exposing credentials of a privileged account.
- Impact: Depending on the level of privilege a targeted account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.
Steps to Verify
- Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them. Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.
Kerberoasting: Targeted Weak Cipher Response
Possible root causes
Malicious Detection
Attackers may deliberately request service tickets with weak encryption types as part of a Kerberoasting attack. This tactic allows them to harvest service ticket hashes, which can be cracked offline to obtain service account passwords. If successful, this can facilitate lateral movement and privilege escalation.
Benign Detection
Some legacy systems may still rely on weak ciphers due to outdated encryption protocols. These older systems might require the use of such ciphers for their operations. While not inherently malicious, it underscores the importance of ensuring these systems are patched and associated accounts are safeguarded with complex, frequently changed passwords.
Kerberoasting: Targeted Weak Cipher Response
Example scenarios
1. Legacy System Interaction
A service ticket request is made to a legacy application that uses weak encryption, potentially raising the alarm due to the presence of a modern host requesting the ticket.
2. Targeted Attack Simulation
An attacker, having gained limited access, specifically requests tickets with weak ciphers to speed up password cracking and escalate privileges.
Kerberoasting: Targeted Weak Cipher Response
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Credential Exposure Risk
A successful Kerberoasting attack can reveal passwords for privileged service accounts, enabling attackers to compromise systems and escalate their privileges.
Domain Compromise Potential
If a service account with high privileges, such as domain admin, is compromised, it could lead to a complete domain takeover.
Increased Attack Surface
The use of weak encryption highlights vulnerabilities that could be exploited in more comprehensive attacks targeting the organization’s infrastructure.
Kerberoasting: Targeted Weak Cipher Response
Steps to investigate
Analyze the Host and Account Details
Review the host and user involved when weak ciphers are returned, ensuring this behavior is not standard for the given service or host.
Check the Encryption Type of the Service Ticket
Identify the type of cipher used and verify whether its usage aligns with organizational security standards.
Review Associated Account Permissions
Confirm the privilege level of the service account involved and assess whether it poses a significant risk if compromised.
Ensure Strong Password Policies
Verify that service accounts have cryptographically secure passwords that are regularly rotated to mitigate the risk of successful password cracking.
Kerberoasting: Targeted Weak Cipher Response
MITRE ATT&CK techniques covered
Kerberoasting: Targeted Weak Cipher Response
Related detections
FAQs
What is a Kerberoasting attack?
An attack where service ticket hashes are extracted from Kerberos, allowing offline password cracking.
Why are weak ciphers a concern?
They make it easier for attackers to break encryption and crack passwords using collected ticket data.
What should I do if this detection is triggered?
Investigate the event, analyze the involved host and accounts, and ensure strong passwords and updated security patches are in place.
Can legitimate applications trigger this detection?
Yes, legacy systems that use outdated encryption protocols might trigger this detection.
How can we reduce the risk of weak cipher attacks?
Disable weak encryption types, enforce complex passwords, and update systems to support modern ciphers.
Is the detection always indicative of an attack?
Not necessarily; it may reflect normal behavior in older systems. However, it warrants review to rule out malicious activity.
What encryption types are considered weak?
Older algorithms such as RC4 or less secure implementations of AES may be flagged as weak.
How does this detection relate to broader attack strategies?
It is part of reconnaissance and credential harvesting efforts that may precede lateral movement.
Should I disable accounts related to this detection?
Only after verifying malicious activity. Disabling without confirmation could disrupt legitimate operations.
What tools can assist in cracking weak ciphers?
Common password-cracking tools include John the Ripper and Hashcat.