Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as "realms", there are three basic participants: client, service, and Key Distribution Center (KDC).[1] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.
On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.[2]
| ID | Name | Description |
|---|---|---|
| G1024 | Akira |
Akira have used scripts to dump Kerberos authentication credentials.[3] |
| ID | Mitigation | Description |
|---|---|---|
| M1015 | Active Directory Configuration |
For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.[4] |
| M1047 | Audit |
Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses. |
| M1043 | Credential Access Protection |
On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[5] |
| M1041 | Encrypt Sensitive Information |
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[6] |
| M1027 | Password Policies |
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[6] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[6] |
| M1026 | Privileged Account Management |
Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts. Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[6] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0522 | Detect Kerberos Ticket Theft or Forgery (T1558) | AN1443 |
Detects anomalous Kerberos activity such as forged or stolen tickets by correlating malformed fields in logon events, RC4-encrypted TGTs, or TGS requests without corresponding TGT requests. Also detects suspicious processes accessing LSASS memory for ticket extraction. |
| AN1444 |
Detects suspicious access to SSSD secrets database and Kerberos key material indicating ticket theft or replay attempts. Correlates anomalous file access with unusual Kerberos service ticket requests. |
||
| AN1445 |
Detects attempts to forge or replay Kerberos tickets by monitoring Unified Logs for anomalous kinit/klist activity and correlating unusual authentication sequences. |