Reconnaissance
Kerberos Brute-Sweep
Detection overview
The "Kerberos Brute-Sweep" detection indicates an attempt to perform brute-force attacks against Kerberos services within a network. Attackers use brute-sweeping techniques to guess user credentials or Service Principal Names (SPNs) to gain unauthorized access. This detection is critical as successful Kerberos brute-force attacks can lead to the compromise of high-value accounts and further infiltration into the network.
Triggers
- A host attempts a suspicious amount of authentication requests using a large number of user accounts with some of them failing because the accounts don’t exist and others failing because the password is incorrect
Possible Root Causes
- The host is part of targeted attack which aims to spread horizontally within the network by first discovering the existence of user accounts and simultaneously attempting to login to them using credentials from a common set of passwords
- The host may be a portal (a shared resource) and the authentication requests are being performed on behalf of other systems inside or outside the organization
Business Impact
- An account brute sweep to a Kerberos or AD server is an effective way for an attacker to determine what accounts are available inside an organization’s network and to simultaneously try to guess the accounts’ passwords
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep, a port scan, or even the widespread use of RPCs to many hosts, so attackers feel they can use it with relatively little risk of detection
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
- Inquire whether the host should be utilizing the user accounts listed in the detection
- Verify that the host on which authentication is attempted is not a shared resource as this could generate a sufficient variety of authentications to resemble an account brute sweep
Kerberos Brute-Sweep
Possible root causes
Malicious Detection
- An attacker attempting to brute-force Kerberos passwords to gain unauthorized access to network resources.
- Compromised internal host being used to perform Kerberos brute-force attacks.
- Automated scripts or tools, such as Kerberoasting, used to extract and crack Kerberos tickets.
Benign Detection
- Misconfigured applications or services repeatedly attempting Kerberos authentication with incorrect credentials.
- Network administrators performing security testing or password strength assessments.
- System clocks out of sync causing repeated authentication attempts due to Kerberos ticket expiry issues.
Kerberos Brute-Sweep
Example scenarios
Scenario 1: An internal host generates a high number of failed Kerberos authentication attempts targeting various user accounts within a short period. Investigation reveals that the host is compromised, and the attacker is using it to brute-force Kerberos passwords.
Scenario 2: A spike in Kerberos authentication traffic is detected, originating from an IP address associated with a network security assessment. Verification with the IT department confirms that the activity is part of a scheduled security test.
Kerberos Brute-Sweep
Business impact
If this detection indicates a genuine threat, the organization faces significant risks:
Compromise of High-Value Accounts
Successful brute-force attacks on Kerberos can lead to the compromise of privileged accounts, allowing attackers to access sensitive data and critical systems.
Increased Risk of Lateral Movement
Attackers can use compromised credentials to move laterally within the network, escalating privileges and accessing additional resources.
Operational Disruption
Repeated authentication attempts can cause account lockouts, disrupting legitimate access and affecting business operations.
Kerberos Brute-Sweep
Steps to investigate
Review Authentication Logs
Examine Kerberos authentication logs for patterns of failed attempts, including timestamps, source IP addresses, and targeted accounts or SPNs.
Identify Source of Attempts
Determine the internal host or external entity initiating the brute-force attempts. Verify if the source is authorized to perform such actions.
Correlate with Other Security Events
Look for additional indicators of compromise, such as unusual network traffic, malware alerts, or other reconnaissance activities linked to the source.
Consult with IT and Security Teams
Confirm if any authorized security assessments or password strength tests were conducted that could explain the activity.
Kerberos Brute-Sweep
MITRE ATT&CK techniques covered
Kerberos Brute-Sweep