Attackers have been abusing the functionality of Kerberos for a while and it has been a tough challenge to mitigate these kind of attacks.
In 2009, Microsoft released a whitepaper called ”Heat-Ray”, where they explained this attack in to the details. Identity Snowball Attack leverages the users logged in to a first compromised machine to launch additional attacks with those users privileges on other machines in the network.
It is very common to see that organizations are using Active Directory as their Identity services, where Kerberos is the authentication mechanism. A key feature of Kerberos are the ”tickets”, which are used to retain authentication information, so users don’t need to re-enter their username and password all over the time, when they access a service on the network. This is also known as Single-Sign-On (SSO)
Microsoft explains the Identity Snowball Attack in the context of Kerberos as it is widely deployed.
Alice need to provide a secret to her machine by entering a password or using smartcard to proof her identity. The machine of Alice needs this information to obtain a Ticket-Granting-Ticket (TGT) from the Key Distribution Center (KDC).
A TGT forms the authentication token of a user, which is in this case. Alice. TGT’s are issued by the KDC. A TGT grants the machine of Alice to perform actions on Alice’s behalf. The received TGT is stored locally on the machine of Alice to avoid that she needs to provide her secret all the time (SSO).
Now when Alice wants to authenticate to the machine of Bob. She needs to present her TGT to the KDC to obtain a service ticket or known as TGS.
After she has obtained a service ticket. She presents it to the machine of Bob, so the service ticket proves to the machine of Bob that Alice has the permissions to perform actions on her behalf.
This was just a high-level overview of Kerberos, but we didn’t came for this. In this blog post. I will demonstrate the capabilities of Defender ATP combined with Azure Sentinel.
In this scenario, we are going to assume that the machine of Alice has been compromised. The attacker is now going to export all the Kerberos tickets from memory to find Kerberos TGT’s that can be use to move laterally across the network.
All the Kerberos tickets are exported from memory and we can see that Bob has recently logged on the machine of Alice. Now an attacker can use the TGT of Bob for impersonation and access resources on behalf of him.
After Bob got impersonated. An attacker is now able to move laterally across the network and is able to access different systems on the network with the likes of the Domain Controller that holds the keys to the kingdom.
Azure Sentinel has great features to visualize everything in graphs and find all the related attack paths that occurred.
Here we can see that a suspicious process was executed from the user Alice.
Now when we are going to expand further and look for all the activities of Alice. We get a lot more information that can be useful for doing an investigation of a incident.
Left under the bottom, you can see ”Pass-The-Ticket attack”, which is the attack that we just performed. Lets expand that to find more additional information.
We can see that a Pass-The-Ticket was performed on the WINDOWS2012 machine.
Now lets find all the related information that belongs to the WINDOWS2012 machine. Did you remember that we performed a code execution on the IDENTITY-DC machine to get access to the Domain Controller?
Yes, we can see that a code execution on the IDENTITY-DC machine has happened from the WINDOWS2012 machine.
Pass-The-Ticket has always been difficult to detect for most enterprises, but there are solutions of Microsoft that can help a lot, like Defender ATP.
Besides of that. All the logs from Defender ATP can be connected with Azure Sentinel to get this graph, which is useful for doing investigation.
If you do have a Security Operations Center, but you don’t use Azure Sentinel. It is the right time to use it, because it would bring a lot value.