Stay Ahead of the Game: Detecting Kerberoasting Attacks Using ELK SIEM
In recent years, cyber attacks have become increasingly sophisticated, and one of the most dangerous types of attacks that organizations face is Kerberoasting. This type of attack targets vulnerabilities in the Kerberos authentication protocol and can result in the compromise of sensitive information and resources. In this blog post, we’ll explain what Kerberoasting is, how it works, and steps you can take to detect it using ELK SIEM.
What is Kerberoasting?
Kerberoasting is a type of attack that exploits vulnerabilities in the Kerberos authentication protocol. Kerberos is a widely-used authentication protocol used to authenticate users and services in a Windows domain environment. It’s used to ensure secure communication between servers, clients, and other resources on the network.
During a Kerberoasting attack, an attacker first identifies the Service Principal Names (SPNs) of target services, such as SQL Server or Exchange. SPNs are used by Kerberos to identify and authenticate services running on a network. The attacker then requests a ticket-granting ticket (TGT) from the domain controller on behalf of a user account with no password expiration. The TGT is then used to request a service ticket for the target SPN, which contains a hash of the service account’s password. The attacker can then use this hash to crack the password offline and gain access to the target service.
How Does Kerberoasting Work?
Here’s a step-by-step breakdown of how a Kerberoasting attack works:
- The attacker identifies the target SPN of a service running on the network, such as SQL Server or Exchange.
- The attacker requests a TGT from the domain controller on behalf of a user account with no password expiration.
- The attacker uses the TGT to request a service ticket for the target SPN, which contains a hash of the service account’s password.
- The attacker can then use this hash to crack the password offline and gain access to the target service.
Once the attacker has gained access to the target service, they can use it to steal sensitive information or cause further damage to the network.
How to Perform a Kerberoasting Attack
To perform a Kerberoasting attack, an attacker needs to have access to a domain-joined machine and be able to run a tool that supports the attack, such as PowerSploit or Rubeus. The attacker also needs to have sufficient permissions to request a TGT and service tickets.
Here are the steps an attacker might take to perform a Kerberoasting attack:
- The attacker identifies the target SPN of a service running on the network, such as SQL Server or Exchange.
- The attacker uses a tool such as PowerSploit or Rubeus to request a TGT on behalf of a user account with no password expiration.
- The attacker uses the TGT to request a service ticket for the target SPN, which contains a hash of the service account’s password.
- The attacker uses a password cracking tool such as Hashcat to crack the password hash and gain access to the target service.
How to Detect Kerberoasting Using ELK SIEM
Detecting Kerberoasting attacks using ELK SIEM can be done through the use of EQL queries. EQL (Elasticsearch Query Language) is a powerful query language that allows you to search and analyze data in real-time.
Here is an example EQL query that can be used to detect Kerberoasting attacks in ELK SIEM:
sequence by host.name, event.kind, event.category, event.type
[event where event.provider == "Microsoft-Windows-Security-Auditing"
and event.code == "4769"
and event.action != "*$"
and (event.ticketOptions == "0x40810000"
or event.ticketOptions == "0x40800000"
or event.ticketOptions == "0x40810010")
and event.ticketEncryptionType == 23]
[groupby host.name, event.action, event.ticketOptions, event.ticketEncryptionType]
This EQL query will return events with a provider of “Microsoft-Windows-Security-Auditing” and a code of “4769”, indicating a Kerberos Service Ticket was requested. The action field filters out service accounts that end with a dollar sign, since those are typically not vulnerable to Kerberoasting. The ticketOptions field filters for specific ticket options that are commonly used in Kerberoasting attacks, and the ticketEncryptionType field filters for RC4 encryption (type 23).
The query groups the results by host.name, event.action, event.ticketOptions, and event.ticketEncryptionType. This provides a summary of the relevant events, grouped by the factors that are most important for identifying potential Kerberoasting attacks.
Following is the Sigma version of the rule:
title: Detect Kerberoasting Attack (via EventCode 4769)
status: experimental
description: Detects a Kerberoasting attack via EventCode 4769 with specific Ticket Options and Ticket Encryption Type.
references:
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4769
tags:
- attack.persistence
- attack.tactic.privesc
- attack.technique.t1558.003
logsource:
product: windows
service: security
detection:
selection:
EventID: 4769
ServiceName:
not:
- '*$'
TicketOptions:
- 0x40810000
- 0x40800000
- 0x40810010
TicketEncryptionType: 23
condition: selection
output:
title: 'Kerberoasting attack detected!'
description: 'A Kerberoasting attack was detected via EventCode 4769 with specific Ticket Options and Ticket Encryption Type. Check the system for signs of compromise.'
tags:
- kerberoasting
- privesc
- kerberos
severity: high
I appreciate you reading this blog. If you think it has been valuable, please give it a thumbs up. If you enjoy it, share with your friends and other members of your community. Stay tuned for the next blog!