Kerberoasting: Targeted Weak Cipher Response

Triggers

• A user has requested a Kerberos service ticket from the ticket granting service which has responded with a weak cipher. This service has either never responded with a weak cipher or the occurrence of this behavior is rare.
• This behavior could indicate the presence of an active attacker who is aiming to escalate privileges on the network by exploiting a weak cipher response and subsequently cracking the NTLM, AES, or RC4 hash. The objective is to obtain the password associated with the targeted service account.

Possible Root Causes

Malicious Detection

• A single ticket cipher downgrade attack may be leveraged in a targeted attack to escalate privileges to progress further into the network and ultimately achieve the goal set out by the malicious actor.
• Observing a weak cipher response from the request of a Ticket Granting Service (TGS) ticket where the service being requested has either never responded with a weak cipher or rarely responds with a weak cipher could be indicative of a malicious actor attempting to elevate privileges to progress further in carrying out their attack.

Benign Detection

• Legacy systems, which lack support for modern ciphers, may still rely on weak ciphers for their operations. In such cases, it becomes crucial to confirm all necessary patches are applied and to prioritize the security of accounts associated with these services. This involves enforcing strong and lengthy passwords for these accounts, while also adhering to regular password update schedules. Additionally, it is essential to assign minimal privileges to these accounts, ensuring they possess only the necessary permissions required for proper functioning within the organization.

Business Impact

• Specific Risk: A cipher downgrade could lead to exposing credentials of a privileged account.
• Impact: Depending on the level of privilege a targeted account has (e.g. service account with domain admin), this could lead directly to a full domain compromise.

Steps to Verify

• Investigate the host, user, and service accounts involved when weak ciphers are returned to a host that doesn’t typically request them. Conventionally, service accounts with a sufficiently complex password (cryptographically random, minimum 25 characters, rotates often) can be ignored, since these take long enough to crack that the cracked password has likely expired by the time its discovered.