Privileged account exploitation remains at the core of targeted cyber attacks. An insight into some of the most high-profile breaches reveals a highly predictable pattern. Attackers are capable of crashing through hijack credentials, network perimeter, and utilize the same for moving laterally across the entire network. They also undertake additional credentials and enhance privileges towards achieving their goals.
Combining privileged accounts with relevant attacks on the Kerberos authentication in respective Windows domains increases the stakes of the overall cyber threat. During instances of such attacks, threat actors are responsible for targeting privileges of domain administration. It helps in providing unrestricted control and access to the entire IT landscape. With the help of these privileges, attackers are capable of manipulating Domain Controllers and generating Kerberos tickets for gaining unauthorized access.
Why are Kerberos Attacks Dangerous?
Regarded as one of the most dangerous attack mechanisms, Kerberos attacks are challenging due to the following reasons:
- Persistence: Gone are the days of stolen or damaged data getting dumped all at once. Attackers nowadays prefer being on the given network undiscovered for several periods of time. They funnel out information piece by piece in smaller amounts. Kerberos attacks are known to provide attackers with what they require the most -time. Attackers are capable of maintaining persistence with the help of Kerberos tickets -even when you will change their credentials.
- Obscurity: To go through security controls while evading detection, attackers can think of reusing Kerberos tickets for impersonating authorized users. Therefore, they are able to get into authentication processes. It helps them to disguise activities and avoid authentication log traces.
- Access: Once the attacker has access to the privileges of Local Admin, they can easily do away with additional credentials. When these are left unattended in the compromised system, these enable the attacker to ensure lateral movements across the network, enhance privileges, and obtain unauthorized access to important assets.
While you can come across a number of attacks on different authentical protocols like the Pass-the-Ticket, Overpass-the-Hash, Pass-the-Hash, one of the most destructive ones is the Golden Ticket attack. The given mechanism implies ‘game over’ for a company and will result in the complete loss of the entire IT infrastructure and its trust.
Understanding Golden Ticket:
If you have local admin or domain admin access on the Active Directory domain/forest, it is possible to manipulate Kerberos tickets to achieve unauthorized access. The golden ticket Kerberos attack is defined as the one in which you are creating a Kerberos-generating ticket that will be relevant for around 10 years. You can still choose the length based on your requirements.
You can be any entity (you should be capable of adding the hash), include any account to any given group (even highly privileged groups), and achieve anything you want within the capabilities of Kerberos authentication. You are also capable of creating usable Kerberos tickets for service, computer, or user accounts that are not even existent in the Active Directory. A golden ticket is not just a forged Kerberos ticket -it is a forged form of the Kerberos key distribution center.
How Kerberos authentication works:
Kerberos supports two-factor authentication and uses mutual authentication. It uses tickets and a token to verify the client. In addition, it uses three different keys to make it harder for attackers to breach this protocol. Kerberos requires both the server and the client to verify themselves. Suppose a client wants to connect a server. He first must verify himself to a trusted third party- Key Distribution Center (KDC).
Kerberos protocol has several important advantages and is important by preventing various types of intrusion attacks. Kerberos avoids storing passwords locally or through the internet and provides mutual authentication verifying both the user and server’s authenticity.
To minimize Kerberos attack surface there are several hardening actions that you should take:
1. Make sure you use efficient encryption.
2. Audit Authentication Service
3. Audit Service Ticket Operations.
4. Ensure ‘Support device authentication using certificate’ is set to ‘Enabled: Automatic’
To make sure you don’t miss anything, we recommend using automation when securing Kerberos configurations. Using hardening automation can help you lower the risk for attacks. CalCom Hardening Solution is the perfect tool for this job.