Steal or Forge Kerberos Tickets: Серебряный билет Kerberos
Other sub-techniques of Steal or Forge Kerberos Tickets (5)
Adversaries who have the password hash of a target service account (e.g. SharePoint, MSSQL) may forge Kerberos ticket granting service (TGS) tickets, also known as silver tickets. Kerberos TGS tickets are also known as service tickets.(Citation: ADSecurity Silver Tickets) Silver tickets are more limited in scope in than golden tickets in that they only enable adversaries to access a particular resource (e.g. MSSQL) and the system that hosts the resource; however, unlike golden tickets, adversaries with the ability to forge silver tickets are able to create TGS tickets without interacting with the Key Distribution Center (KDC), potentially making detection more difficult.(Citation: ADSecurity Detecting Forged Tickets) Password hashes for target services may be obtained using OS Credential Dumping or Kerberoasting.
Примеры процедур |
|
Название | Описание |
---|---|
Rubeus |
Rubeus can create silver tickets.(Citation: GitHub Rubeus March 2023) |
AADInternals |
AADInternals can be used to forge Kerberos tickets using the password hash of the AZUREADSSOACC account.(Citation: AADInternals Documentation) |
Mimikatz |
Mimikatz's kerberos module can create silver tickets.(Citation: GitHub Mimikatz kerberos Module) |
Empire |
Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.(Citation: Github PowerShell Empire) |
Контрмеры |
|
Контрмера | Описание |
---|---|
Password Policies |
Set and enforce secure password policies for accounts. |
Privileged Account Management |
Manage the creation, modification, use, and permissions associated to privileged accounts, including SYSTEM and root. |
Encrypt Sensitive Information |
Protect sensitive information with strong encryption. |
Обнаружение
Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4634, 4672).(Citation: ADSecurity Detecting Forged Tickets) Monitor for unexpected processes interacting with lsass.exe.(Citation: Medium Detecting Attempts to Steal Passwords from Memory) Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.
Ссылки
- French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
- Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
- Sean Metcalf. (2015, November 17). How Attackers Use Kerberos Silver Tickets to Exploit Systems. Retrieved February 27, 2020.
- Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
- Harmj0y. (n.d.). Rubeus. Retrieved March 29, 2023.
- Dr. Nestori Syynimaa. (2018, October 25). AADInternals. Retrieved February 18, 2022.
- Deply, B., Le Toux, V.. (2016, June 5). module ~ kerberos. Retrieved March 17, 2020.
- Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Связанные риски
Каталоги
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.