CAPEC-652: Use of Known Kerberos Credentials
An adversary obtains (i.e. steals or purchases) legitimate Kerberos credentials (e.g. Kerberos service account userID/password or Kerberos Tickets) with the goal of achieving authenticated access to additional systems, applications, or services within the domain.
Kerberos is the default authentication method for Windows domains and is also used across many operating systems. Attacks leveraging trusted Kerberos credentials can result in numerous consequences, depending on what Kerberos credential is stolen. For example, Kerberos service accounts are typically used to run services or scheduled tasks pertaining to authentication. However, these credentials are often weak and never expire, in addition to possessing local or domain administrator privileges. If an adversary is able to acquire these credentials, it could result in lateral movement within the domain or access to any resources the service account is privileged to access, among other things. Ultimately, successful spoofing and impersonation of trusted Kerberos credentials can lead to an adversary breaking authentication, authorization, and audit controls with the target system or application.
Weaknesses
| # ID | Name | Type |
|---|---|---|
| CWE-262 | Not Using Password Aging | weakness |
| CWE-263 | Password Aging with Long Expiration | weakness |
| CWE-294 | Authentication Bypass by Capture-replay | weakness |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | weakness |
| CWE-308 | Use of Single-factor Authentication | weakness |
| CWE-309 | Use of Password System for Primary Authentication | weakness |
| CWE-522 | Insufficiently Protected Credentials | weakness |
| CWE-654 | Reliance on a Single Factor in a Security Decision | weakness |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | weakness |
Taxonomiy Mapping
| Type | # ID | Name |
|---|---|---|
| ATTACK | 1558 | Steal or Forge Kerberos Tickets |