Deceptive Kerberos Authentication

Engage Goals: EGO0001 Expose

Engage Approach: EAP0002 Detect

Engage Actions: EAC0002 Network Monitoring, EAC0015 Information Manipulation

Name of Element: Deceptive Kerberos Authentication

Description of Element:

Goal: Detect attackers attempting to exploit Kerberos for privilege escalation or lateral movement.

Approach: Creating deceptive Kerberos services or accounts to lure attackers and monitor their activities.

Deploy fake Kerberos services or configure deceptive service principal names (SPNs) that appear to grant access to sensitive resources or systems. Monitor these for unauthorized access attempts or suspicious Kerberos ticket requests.

Technical Context:

This element requires integration with the Kerberos infrastructure. It can be implemented by creating fake service accounts in Active Directory, deploying decoy Kerberos Key Distribution Centers (KDCs), or manipulating Kerberos configurations. This aligns with the MITRE ATT&CK technique T1558.003 (Steal or Forge Kerberos Tickets: Kerberoasting).

Other:

This element can be combined with deceptive network configurations to make the fake Kerberos services appear more accessible or vulnerable.

Leave a Reply Cancel reply

ORION Detlab: Forging Resilient Detections in the HEFAISTOS Ecosystem

The Maieutic Engine: Birth of a New Detection Engineering Paradigm

The Forge, The Guide, and The Hunter: Unifying Detection Engineering with the Mythological Triad of HEFAISTOS, KEDALION, and ORION

Dendrite: Bridging the Synaptic Gap Between External Intelligence and Internal Defense