Steal or Forge Kerberos Tickets

Adversaries may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket. Kerberos is an authentication protocol widely used in modern Windows domain environments. In Kerberos environments, referred to as "realms", there are three basic participants: client, service, and Key Distribution Center (KDC).[1] Clients request access to a service and through the exchange of Kerberos tickets, originating from KDC, they are granted access after having successfully authenticated. The KDC is responsible for both authentication and ticket granting. Adversaries may attempt to abuse Kerberos by stealing tickets or forging tickets to enable unauthorized access.

On Windows, the built-in klist utility can be used to list and analyze cached Kerberos tickets.[2]

ID: T1558
Platforms: Linux, Windows, macOS
System Requirements: Kerberos authentication enabled
Contributors: Cody Thomas, SpecterOps; Tim (Wadhwa-)Brown
Version: 1.6
Created: 11 February 2020
Last Modified: 17 September 2024

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.[3]

M1047 Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.

M1043 Credential Access Protection

On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[4]

M1041 Encrypt Sensitive Information

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[5]

M1027 Password Policies

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[5] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[5]

M1026 Privileged Account Management

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[5]

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Credential Request

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.[6][7][8]Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[9] Monitor for indications of Pass the Ticket being used to move laterally.

DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.

DS0022 File File Access

Monitor for unexpected processes interacting with lsass.exe.[10] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.

DS0028 Logon Session Logon Session Metadata

Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).[11] [5]

References