Description
Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as “realms”, there are three basic participants: client, service, and Key Distribution Center (KDC).(Citation: ADSecurity Kerberos Ring Decoder) Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.(Citation: Microsoft Klist)
Active Directory Attack Techniques
Read our in-depth pentesting guide related to this technique
Platforms
Sub-Techniques (5)
Golden Ticket
T1558.002Silver Ticket
T1558.003Kerberoasting
T1558.004AS-REP Roasting
T1558.005Ccache Files
Mitigations (6)
Active Directory ConfigurationM1015
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KR
Credential Access ProtectionM1043
On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.(Citation: Brining MimiKatz to Unix)
Encrypt Sensitive InformationM1041
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.(Citation: AdSecurity Cracking Kerberos Dec 2015)
Password PoliciesM1027
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.(Citation: AdSecurity Cracking Kerberos Dec 2015) Also consider using Group Managed Service Accounts or another third party product such as password vaulting.(Citation: AdSecurity Cracking Kerberos Dec 2015)
AuditM1047
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
Privileged Account ManagementM1026
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.
Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.(Citation: AdSecurity Cracking Kerberos Dec 2015)
Threat Groups (1)
| ID | Group | Context |
|---|---|---|
| G1024 | Akira | [Akira](https://attack.mitre.org/groups/G1024) have used scripts to dump Kerberos authentication credentials.(Citation: Cisco Akira Ransomware OCT 202... |
References
- Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
- Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.
- French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
- Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.
- Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
- Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
- Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.
- Microsoft. (2021, March 3). klist. Retrieved October 14, 2021.
- Sean Metcalf. (2014, September 12). Kerberos, Active Directory’s Secret Decoder Ring. Retrieved February 27, 2020.
Frequently Asked Questions
What is T1558 (Steal or Forge Kerberos Tickets)?
T1558 is a MITRE ATT&CK technique named 'Steal or Forge Kerberos Tickets'. It belongs to the Credential Access tactic(s). Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable [Pass the Ticket](https://attack.mitre.org/techniques/T1550/003). Kerberos is an authentica...
How can T1558 be detected?
Detection of T1558 (Steal or Forge Kerberos Tickets) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1558?
There are 6 documented mitigations for T1558. Key mitigations include: Active Directory Configuration, Credential Access Protection, Encrypt Sensitive Information, Password Policies, Audit.
Which threat groups use T1558?
Known threat groups using T1558 include: Akira.