kerberosting_internal

Explanation

Kerberos is a network authentication protocol used by many enterprises to securely authenticate users and services across a network. Kerberoasting is a post-compromise attack that can be used to facilitate privilege escalation or lateral movement. The attack uses a compromised network account to requests special Kerberos tickets for one or more service accounts, which may be entitled to more privileges than the current attacker controlled account. The requested tickets are protected with a hash of the service account's password, which the attacker extracts to attempt to crack offline.

What to Look For

When investigating kerberoasting_internal_internal events, look for OS logs that indicate requests for service account tickets, especially from unauthorized/uncommon users or machines. Look for evidence of unexpected logins by service accounts, and evidence of Kerberoasting tools on related hosts. Since this attack relies on crackable passwords, make sure to rotate passwords for accounts whose hashes may have been leaked, and use strong, hard to crack passwords.

Related MITRE ATT&CK Categories

Lateral Movement, Tactic TA0008 - Enterprise

Brute Force, Technique T1110 - Enterprise

Steal or Forge Kerberos Tickets, Technique T1558 - Enterprise