Sign In
- Platform
- Solutions
- Modern NDR
- Resources
- Company
Platform
Modern NDR
Resources
Platform
Modern NDR
Resources
DETECTION OVERVIEW
Risk Factors
By default, the latest versions of Windows Server disable support for RC4, a weak cipher algorithm. But Kerberos attack tools can help an attacker target servers that still support RC4. Kerberos attacks (such as Kerberoasting) can be threatening, but unusual Kerberos requests do not immediately affect network devices.
The system might change the risk score for this detection.
Kill Chain
Risk Score
33
Kerberos is an authentication protocol that creates tickets encrypted with account keys to verify identity and permissions. A ticket contains user, computer, or service account credentials that are encrypted with a cipher algorithm. When a Windows client wants to access a service, they submit credentials to a Kerberos server, often a domain controller (DC). The DC stores account passwords for users and services as NTLM ciphertext. Kerberoasting is a technique for cracking service account passwords by decrypting tickets. First, the attacker sends Kerberos requests for multiple services. Each request includes RC4, a weak cipher algorithm that leverages the service account NTLM ciphertext to encrypt and decrypt the ticket. After the DC generates the service ticket, known as the ticket-granting service (TGS) ticket, the attacker collects those tickets and attempts to decrypt them offline. After a ticket is decrypted, the service account password is exposed to the attacker.
Quarantine the client while checking for indicators of compromise
Disable RC4 support on Windows Servers and enable stronger encryption algorithms such as AES Kerberos encryption
Implement the least privilege model
