1. Home
  2. Techniques
  3. Enterprise
  4. 窃取或伪造Kerberos票据

窃取或伪造Kerberos票据

ID Name
T1558.001 隐蔽票据伪造
T1558.002 跨域票据传递
T1558.003 动态票据更新

窃取或伪造Kerberos票据是攻击者破坏Windows域身份认证体系的核心技术,通过获取或生成有效的Kerberos票证(TGT或ST)实现特权升级和横向移动。传统防御主要依赖监控Kerberos事件日志(如4769、4624)、检测非常规加密类型(如RC4-HMAC)、分析票据生命周期异常等。缓解措施包括启用Kerberos服务票证操作审计、限制域间信任范围、部署Credential Guard等。

为规避传统检测机制,攻击者发展出深度隐蔽的票据操作技术,通过内存操作隐蔽化、加密参数动态化、信任关系拓扑化等创新手法,将恶意票据活动融入Kerberos协议的正常交互流程,形成"协议级隐身"的新型攻击范式。

当前Kerberos票据匿迹技术的演进呈现三大特征:首先是攻击面的协议深度融合,通过精确模仿Kerberos协议状态机的工作机制,使恶意票据操作在加密算法、时间参数、信任链构建等维度与合法交互保持不可区分性;其次是攻击链的时空维度扩展,利用跨域信任关系实现攻击路径的拓扑稀释,并通过智能续期机制延长攻击周期;最后是攻击载体的内存驻留化,采用无文件操作技术消除磁盘痕迹,结合进程注入实现LSASS内存的隐蔽访问。这些技术突破使得传统基于单一事件日志分析或静态特征匹配的防御体系面临严峻挑战。

匿迹技术的发展迫使防御方构建多维度检测能力:需在域控制器部署实时加密策略合规性分析,实施跨域Kerberos事件关联审计,并引入内存行为基线监控。同时应限制跨域信任关系的深度,实施动态票据生命周期管理,并通过硬件隔离技术(如VBS)保护身份凭证存储区。

ID: T1558
Sub-techniques:  T1558.001, T1558.002, T1558.003
Tactic: 凭据获取
Platforms: Linux, Windows, macOS
System Requirements: Kerberos authentication enabled
Contributors: Cody Thomas, SpecterOps; Tim (Wadhwa-)Brown
Version: 1.6
Created: 11 February 2020
Last Modified: 17 September 2024

匿迹效应

效应类型 是否存在
特征伪装
行为透明
数据遮蔽
时空释痕

特征伪装

攻击者通过精确模拟Kerberos协议交互特征实现票据伪造的隐蔽性。在加密算法选择、时间戳设置、票据结构编排等维度严格遵循目标域的Kerberos策略规范,使伪造票据的协议特征与合法票据保持高度一致。同时利用域间信任协议的标准化交互流程,将跨域攻击行为伪装成合法的跨域认证请求。

数据遮蔽

在票据窃取过程中采用内存加密传输技术,对提取的票据数据实施临时性加密处理,规避基于内存明文扫描的检测,篡改时间戳等关键信息,能够起到代码混淆的作用,增加了追踪难度。部分高级攻击者还会将窃取的票据分割存储在多个进程内存空间,并通过动态重组技术规避完整性校验。

时空释痕

通过跨域票据传递构建分布式攻击链,将单次高风险的票据使用行为分散到多个域的信任交互过程中。结合动态票据更新机制延长攻击周期,使单个域的异常票据活动频率低于检测阈值。攻击特征的时空分散化显著增加了防御方的攻击链重构难度。

Mitigations

ID Mitigation Description
M1015 Active Directory Configuration

For containing the impact of a previously generated golden ticket, reset the built-in KRBTGT account password twice, which will invalidate any existing golden tickets that have been created with the KRBTGT hash and other Kerberos tickets derived from it. For each domain, change the KRBTGT account password once, force replication, and then change the password a second time. Consider rotating the KRBTGT account password every 180 days.[1]
M1047 Audit

Perform audits or scans of systems, permissions, insecure software, insecure configurations, etc. to identify potential weaknesses.
M1043 Credential Access Protection

On Linux systems, protect resources with Security Enhanced Linux (SELinux) by defining entry points, process types, and file labels.[2]

M1041 Encrypt Sensitive Information

Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[3]
M1027 Password Policies

Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire.[3] Also consider using Group Managed Service Accounts or another third party product such as password vaulting.[3]
M1026 Privileged Account Management

Limit domain admin account permissions to domain controllers and limited servers. Delegate other admin functions to separate accounts.

Limit service accounts to minimal required privileges, including membership in privileged groups such as Domain Administrators.[3]

Detection

ID Data Source Data Component Detects
DS0026 Active Directory Active Directory Credential Request

Monitor for anomalous Kerberos activity, such as malformed or blank fields in Windows logon/logoff events (Event ID 4624, 4672, 4634), RC4 encryption within ticket granting tickets (TGTs), and ticket granting service (TGS) requests without preceding TGT requests.[4][5][6]Monitor the lifetime of TGT tickets for values that differ from the default domain duration.[7] Monitor for indications of Pass the Ticket being used to move laterally.
DS0017 Command Command Execution

Monitor executed commands and arguments that may attempt to subvert Kerberos authentication by stealing or forging Kerberos tickets to enable Pass the Ticket.
DS0022 File File Access

Monitor for unexpected processes interacting with lsass.exe.[8] Common credential dumpers such as Mimikatz access the LSA Subsystem Service (LSASS) process by opening the process, locating the LSA secrets key, and decrypting the sections in memory where credential details, including Kerberos tickets, are stored.
DS0028 Logon Session Logon Session Metadata

Enable Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17]).[9] [3]

References

  1. UCF. (n.d.). The password for the krbtgt account on a domain must be reset at least every 180 days. Retrieved November 5, 2020.
  2. Tim Wadhwa-Brown. (2018, November). Where 2 worlds collide Bringing Mimikatz et al to UNIX. Retrieved October 13, 2021.
  3. Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
  4. Metcalf, S. (2015, May 03). Detecting Forged Kerberos Ticket (Golden Ticket & Silver Ticket) Use in Active Directory. Retrieved December 23, 2015.
  5. Jeff Warren. (2019, February 19). How to Detect Pass-the-Ticket Attacks. Retrieved February 27, 2020.
  1. Abolins, D., Boldea, C., Socha, K., Soria-Machado, M. (2016, April 26). Kerberos Golden Ticket Protection. Retrieved July 13, 2017.
  2. Microsoft. (2015, March 24). Kerberos Golden Ticket Check (Updated). Retrieved February 27, 2020.
  3. French, D. (2018, October 2). Detecting Attempts to Steal Passwords from Memory. Retrieved October 11, 2019.
  4. Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.