Detecting Kerberoasting using GetUserSPNs.py
In Active Directory, Service Principal Names (SPNs) are used to identify services and applications. These SPNs are registered to user or computer accounts designated as service accounts. These accounts are exclusively utilized for running services and applications within the Active Directory environment.
The script GetUserSPNs.py can be utilized to fetch a password hash for user accounts linked to a Service Principal Name (SPN). When an SPN is configured on a user account, it enables the request of a Service Ticket for that account. This ticket can then be analyzed in an attempt to crack it and recover the user’s password.
Enumerating the SPNs
Kerberoasting attack is to enumerate the servicePrincipalNames (SPNs) associated with user or computer accounts in the target domain.
Impacket’s GetUserSPNs.py will attempt to fetch Service Principal Names that are associated with normal user accounts.python3 GetUserSPNs.py test.local/username:password123 -dc-ip 10.10.10.1 -request -outputfile hashses.kerberoast
Cracking hash
hashcat -m 13100 -force -a 0 hashes.kerberoast password.txt
Logs captured in QRadar:-
Raw payload Info:
AgentDevice=WindowsLog
AgentLogFile=Security
PluginVersion=7.3.1.28
Source=Microsoft-Windows-Security-Auditing
Computer=xxxx.local
OriginatingComputer=10.xx.xx.x
User=
Domain=
EventID=4769
EventIDCode=4769
EventType=8
EventCategory=14337
RecordNumber=17796004
TimeGenerated=17132285749
TimeWritten=1757895749
Level=Log Always
Keywords=Audit Success
Task=SE_ADT_ACCOUNTLOGON_KERBEROS
Opcode=Info
Message= A Kerberos service ticket was requested.
Account Information:
Account Name: soc_rohitj@Domain.LOCAL
Account Domain: Domain.LOCAL
Logon GUID: {xxxxx-8005-xxx-9475-xxxxxd7ff9cc}
Service Information:
Service Name: userspntest
Service ID: ROHIT\userspntest
Network Information:
Client Address: ::ffff:10.xx.xx.x
Client Port: 53294
Additional Information:
Ticket Options: 0x40810010
Ticket Encryption Type: 0x17
Failure Code: 0x0
Transited Services: -
This event is generated every time access is requested to a resource such as a computer or a Windows service.
The service name indicates the resource to which access was requested.
This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event.
The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.
Ticket options, encryption types, and failure codes are defined in RFC 4120.Detection Idea:-
Here are a few fields to detect kerberoasting attacks:
1. Monitor Event ID 4769.
2. Ticket options is 0x40810010 (this is the default option used by the GetUserSPNs.py tool in the impacket suite.
3. Ticket Encryption Type 0x17. (eType 18 (0x12) is AES-256, and eType 23 (0x17) is RC4)
4. Service name doesn't contain krbtgt or $.
5. Status is 0x0.
QRadar Detection Rule + Alert generated:-
and when the event(s) were detected by one or more of Microsoft Windows Security Event Log
and when the event matches Event ID (custom) is any of 4769
and when the event matches Service Name (custom) does not match any of expressions [(?i)krbtgt or .*\$]
and when the event matches Ticket Encryption Type (custom) is any of 0x17
and when the event matches Status Code (custom) is any of 0x0
and when the event matches Ticket Options (custom) is any of 0x40810010
Sigma Rule:-
title: Kerberos spn request using GetUserSPNs.py script
id: 9e2a3e39-6fad-45db-8085-0a12fca532b4
status: test
references:
- https://trustedsec.com/blog/the-art-of-bypassing-kerberoast-detections-with-orpheus
- https://trustedsec.com/blog/art_of_kerberoast
author: Rohit J
date: 2024/04/16
tags:
- attack.Credential_Access
- attack.Steal or Forge_Kerberos_Tickets
logsource:
product: windows
service: windows
category: process_access
detection:
event id: 4769
selection 1:
Service Name|contains: (?i)krbtgt or .*\$
selection 2:
Ticket Encryption Type: 0x17
Status Code: 0x0
Ticket Options: 0x40810010
condition: selection 2 and not selection 1
falsepositives:
- N/A
level: medium