Detailedseverity: HighStable

CAPEC-509Kerberoasting

Abstraction
Detailed
Status
Stable
Severity
High

Description

Through the exploitation of how service accounts leverage Kerberos authentication with Service Principal Names (SPNs), the adversary obtains and subsequently cracks the hashed credentials of a service account target to exploit its privileges. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. As an authenticated user, the adversary may request Active Directory and obtain a service ticket with portions encrypted via RC4 with the private key of the authenticated account. By extracting the local ticket and saving it disk, the adversary can brute force the hashed value to reveal the target account credentials.

Related weaknesses· 7

CWE-522CWE-308CWE-309CWE-294CWE-263CWE-262CWE-521

MITRE ATT&CK crosswalk· 1

T1558.003: Steal or Forge Kerberos Tickets:Kerberoasting

Related attack patterns· 2

CAPEC-652 (ChildOf)CAPEC-151 (CanPrecede)

Exploits7

TypeTargetConfidenceTier
WeaknessAuthentication Bypass by Capture-replaycwe-294100%live
WeaknessWeak Password Requirementscwe-521100%live
WeaknessNot Using Password Agingcwe-262100%live
WeaknessPassword Aging with Long Expirationcwe-263100%live
WeaknessUse of Single-factor Authenticationcwe-308100%live
WeaknessInsufficiently Protected Credentialscwe-522100%live
WeaknessUse of Password System for Primary Authenticationcwe-309100%live

Related to1

TypeTargetConfidenceTier
SubTechniqueKerberoastingt1558.003100%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CAPEC
Use of Captured Tickets (Pass The Ticket)
CAPEC
Use of Known Kerberos Credentials
Technique
Steal or Forge Kerberos Tickets
Sub-technique
AS-REP Roasting
Sub-technique
Silver Ticket
Tactic
Credential Access
Sourced from MITRE CAPEC. Curated by Adam Lundqvist, SQUR.