Written by: Biju Varghese, Technical Product Manager at Attivo Networks – Since 2014 Kerberos Silver Ticket attack has been a well know Active Directory Attack method widely used by the Red Team, pen testers, and some of the state-sponsored attacks. I do not want to get into the attack method, how to, or even into the detection methods. All of this is well documented by the creators of Mimikatz Abusing Microsoft Kerberos and in this blog written by Sean Metcalf on Detecting Forged Kerberos Ticket. Let me introduce a futuristic solution which prevent a Silver ticket attack from the initial step.
Attackers do not start with the Silver Ticket / Golden Ticket attack. After compromising a machine, an attacker spends few hours in reconnaissance. This is crucial because the attacker needs to create a strategy so that they can achieve their final goal of persistence undetected. Active Directory allows Domain reconnaissance from any Windows Domain joined without any admin privileges, making the attacker’s life easy. For the Silver Ticket attack, the attacker first needs to discover three important information SPN’s, Service Accounts or Hostname, and of course, brute force to find passwords for these accounts.
What if I tell you that you can prevent any reconnaissance attempt without modifying your Active Directory? How cool is that?
Attivo ADSecure can prevent the attackers from obtaining any privileged information from your Active Directory. Attackers could use various methods to gather data, native tools, LDAP Queries or PowerShell cmdlets, etc. Our Innovative approach can detect attacks from an outsider or an insider threat. Keeping early prevention in mind is how we designed our product and it is what makes us distinct from other products on the market.
In the case of the Kerberos Silver Ticket attack, we defeat the attacker in the initial reconnaissance phase without the attacker knowing where they are heading. While the attacker is still progressing with the attack, we prevent the attack and notify the security admin. In the background, we could understand the TTP of the attacker or the admin could configure to automatically block the attacker completely ending their attack chain.
Let us see this in action now.
Adversaries are constantly discovering new methods and incorporating native operating System tools without depending on the external payload to go undetected.
We are going to use a tool “SetSPN”, which is available on all windows machines shipped to date. SetSPN has almost the same capabilities of the script we used earlier and much more. Here is a nice TechNet Article if you would like to learn more about the tool.
For this scenario, we will try to find accounts with HTTP SPN, we are going to run the command on a machine without an ADSecure solution. A very simple command “setspn -Q HTTP/*”, SetSPN allows wildcard searches you can use any combination to search for any type SPNs.
In the above image we see production Service Accounts are revealed which has HTTP spn registered, this includes regular service accounts, gMSA, and computer accounts. Attackers are more interested in the regular services accounts as they are easy to crack the passwords.
We just saw how easy it is for an attacker to discover the Service Accounts without any external tools. To demonstrate the depth of the ADSecure solution, I will attempt two different methods to discover the service accounts on a protected endpoint.
Method 1: PowerShell Script
The attacker runs a script getusersSPNs.ps1 from the Kerberoasting tool kit. This script finds all the services accounts in the active directory domain.
In the above image after running the script, there are no service accounts discovered by the attacker, since the machine is protected by Attivo ADSecure solution and all the service accounts have been hidden this is one of the ways we can protect.
Method 2: SetSPN command
We are going to use the same “SetSPN” command used earlier to discover the HTTP SPN.
In the above image with ADSecure protecting the endpoint, the attacker view is completely altered and a different set of service accounts are presented. These accounts are presented without modifying the Active Directory. While keeping the attacker engaged with the service accounts, our solution immediately detects and alerts the security team about the SPN enumeration and provides complete visibility into the TTP of the attacker – a detailed report with associated alerts are raised when any such activity is detected.
Below is a sample of the alert and deep forensic information available for the security admin to investigate. Process Name, Script file, API, or LDAP Query.
We have just walked through how ADSecure has misled the attacker and thereby prevented the Silver Ticket attack in the early stages of the attack. ADSecure is a powerful Active Directory aware solution that prevents various Active Directory attacks like reconnaissance, Service account enumeration, privilege account enumeration, Kerberoasting, SPN Scanning, Silver ticket attack, and more.
Want to try our innovative solution for yourself? Register for a 30 Day Trial.