cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Detecting LDAP based Kerberoasting with Azure ATP
By
Tal Maor
Published Apr 17 2019 07:00 AM 46.9K Views
Tal Maor
Microsoft
‎Apr 17 2019 07:00 AM

Detecting LDAP based Kerberoasting with Azure ATP

‎Apr 17 2019 07:00 AM

In a typical Kerberoasting attack, attackers exploit LDAP vulnerabilities to generate a list of all user accounts with a Kerberos Service Principal Name (SPN) available. Once successful at listing these accounts, attackers grant Kerberos Service Tickets for each user account with an SPN and later perform offline Brute Force on the encrypted part of the Kerberos tickets. This action helps attackers locate a password that belongs to a domain account. Domain account passwords enable attackers to freely move laterally in your domain.

 

Environments where the Kerberos Ticket Granting Service (TGS) is encrypted with a weak cipher, and the cipher is generated from a well-known password (not randomly generated) are prime targets for successful brute force attacks of this type.  

 

The following attack logic is often used to find an organization's weakest link and perform LDAP based Kerberoast attacks.

 

Figure 1-Typical Kerberoasting attack flowFigure 1-Typical Kerberoasting attack flow

 

Typical LDAP based Kerberoasting attack flow and result: 

 

Step 1: Identify

 

In this attack phase, attackers are using LDAP to query and locate all user accounts with a Service Principal Name (SPN). Running this LDAP query is possible for all user accounts in a domain.

 

Figure 2- LDAP query that looks for all user accounts with a SPN setFigure 2- LDAP query that looks for all user accounts with a SPN set

Step 2: Enumerate

In this phase of the attack, a request is made for Kerberos TGS to the SPN using a valid TGT.

 

Figure 3- TGS request to ExampleService of user1 by user2Figure 3- TGS request to ExampleService of user1 by user2

Figure 4 - TGS response with ticket to ExampleService of user1Figure 4 - TGS response with ticket to ExampleService of user1

 

Step 3: Brute force

 

In the brute force phase of the attack, by using commonly available password cracking tools on accounts with commonly used passwords, attackers easily succeed at obtaining the password.

 

In the following example, a commonly used password cracking tool, JohnTheRipper, performs a successful brute force using a rainbow table.  

 

Figure 5 - Cracked password using a rainbow tableFigure 5 - Cracked password using a rainbow table

Step 4: Attack  

 

In cases where the attempted brute force attack (shown previously) is successful, attackers use the newly obtained clear-text password to login to remote machines or access cloud resources and files.

 

Figure 6 - Interactive clear-text logonFigure 6 - Interactive clear-text logon

How can you detect and prevent Kerberoast attacks from succeeding? 

Azure Advanced Threat Protection (Azure ATP) has risen to the Kerberoasting challenge and developed new methods to detect when malicious actors are attempting to perform LDAP based reconnaissance on your domain. While this type of attack is difficult to detect, and LDAP’s extensive query language presented additional challenges, our security research work involved differentiating legitimate workflows from malicious behavior and surfacing all related activities and entities.

Our newest security alert involves smart behavioral detection backed by extensive machine learning, designed to raise an alert when any type of abnormal enumeration (including SPN enumeration), or queries on sensitive security groups are detected.  

 

Starting from v2.72, Azure ATP issues a Security principal reconnaissance (LDAP) alert when the first stage of a Kerberoasting attack attempt is detected on the domains we monitor.  

 

Each alert includes vital information for use in your investigation and remediation:

 

1. Identification of malicious activity

2. Attempted enumeration details and specifics

3. Historical comparisons and activity correlation

4. Suggestion remediation steps 

 

images3.png

The following workflow explains how to use Azure ATP alerts to detect and remediate Kerberoasting attempts on your domain.

 

Step 1: Review the alert to identify the actors and entities involved.

 

Figure 7 - Azure ATP alert on suspicious enumerationsFigure 7 - Azure ATP alert on suspicious enumerations 

 

Step 2: Filter activities to review resource access on the entity involved

 

Figure 8 - Filter for resource access activities on Client1's profileFigure 8 - Filter for resource access activities on Client1's profile

 

Step 3: Use the filter results to investigate the resource access activities

 

Figure 9 - Investigate the resource access activity (generated by Kerberos Ticket Granting Service) for ExampleService/User1Figure 9 - Investigate the resource access activity (generated by Kerberos Ticket Granting Service) for ExampleService/User1

Step 4: Filter Interactive logon and Credential validation for the accessed entity

 

Figure 10 - Filter Interactive logon and Credential validation on User1’s profileFigure 10 - Filter Interactive logon and Credential validation on User1’s profile

Step 5: Review logon and access attempts

 

Figure 11 - User1's clear text password was used to logon on interactively on Client2Figure 11 - User1's clear text password was used to logon on interactively on Client2

Step 6: Remediate possible risks

  1. Force a password reset on the compromised account
  2. Require use of long and complex passwords for users with service principal accounts https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-settings/minimum...
  3. Replace the user account by Group Managed Service Account (gMSA) https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-manage...

 

Kerberoasting remains a popular attack method and heavily discussed security issue, but the effects of a successful Kerberoasting attack are real. Make sure your security team is aware of common Kerberoasting risks and strategies, along with the tools and alerts Azure ATP offers to help protect your domain.

 

As always, we welcome your feedback about our work, and are interested in learning more about the security threats and risks you encounter. For more information about features and threat protection, or to learn how we can help, contact us

 

Get Started Today

 

If you are just starting your journey, begin trials of the Microsoft Threat Protection services today to experience the benefits of the most comprehensive, integrated, and secure threat protection solution for the modern workplace:

 

 

 

3 Comments
CookieMonster2019
Copper Contributor
‎Jun 03 2019 10:41 AM
‎Jun 03 2019 10:41 AM

Good job!  I hope Kerberoasting detection will be added to Microsoft ATA.  I would love to see how you guys were able to analyse the LDAP requests.  Is the data accessible in the MongoDB from Microsoft ATA or ATP to analyse the LDAP request to see patterns or logs that are accessible for Threat Hunting?

0 Likes
Like
Tal Maor
Microsoft
‎Jun 04 2019 01:43 AM
‎Jun 04 2019 01:43 AM

Thanks CookieMonster2019  for the question, the LDAP detector which also supports the Kerberoasting is running on Azure ATP. Unfortunately it isn't supported on Microsoft ATA at the moment.

0 Likes
Like
CookieMonster2019
Copper Contributor
‎Jun 04 2019 09:49 AM
‎Jun 04 2019 09:49 AM

Amazing work.  This is one of the main reason why someone should sign up to Azure ATP.  Its level of importance is much higher than most people think.  If it was possible to detect AD Recon at an early stage.  The attackers would be blind on the network and have to go back to NMAP scans or ARP scans the to gather information.  But an LDAP detector could help to detect Reconnaissance on the AD and detect attacks such as Kerberoasting.

Version history
Last update:
‎May 11 2021 01:55 PM
Updated by: