Detections
Analytics

Privileged Accounts Running Kerberos Services

critical

Language:

Description

In 2014, a new type of attack called Kerberoast targets privileged domain user accounts by exploiting the internal mechanisms of the Kerberos authentication protocol. The attacker's goal is to discover the clear-text password of an account, which gives them associated rights.
This attack can occur from inside an Active Directory environment using a simple, unprivileged user account. If a specific Active Directory attribute (the servicePrincipalName) is set on an account, this affects the underlying security of this account. The password of this account can be guessed, and traditional security mechanisms that lock an account after several password failures cannot prevent exhaustive attacks on passwords.
Some very privileged accounts are usually targeted, (e.g. users of the Domain Admins group). Those accounts can lead to a full domain compromise very fast and as such should be protected against this Kerberos configuration threat.
The Kerberoasting Indicator of Attack can alert security personnel if an attacker attempts to exploit this vulnerability. However, it is still necessary to fix the underlying issue to secure very privileged accounts, which can lead to a full domain compromise quickly.

Solution

Privileged accounts should not have a Service Principal Name.

See Also

Authentication secrets part II - Kerberos strikes-back

MITRE ATT&CK - Steal or Forge Kerberos Tickets: Kerberoasting

Sneaky Persistence Active Directory Trick: Dropping SPNs on Admin Accounts for Later Kerberoasting

Kerberos: An Authentication Service for Computer Networks

Indicator Details

Name: Privileged Accounts Running Kerberos Services

Codename: C-PRIV-ACCOUNTS-SPN

Severity: Critical

MITRE ATT&CK Information:

Tactics: TA0004

Techniques: T1078

Attacker Known Tools

Kerberoast

Empire

Impacket

PowerSploit