NOTE: This guide and repository is being actively updated and will reflect information presented at ZeekWeek 2021. Information is missing but will be added soon. Stay tuned.

• Kerberos-haters Guide to Zeek Threat Hunting
• Introduction
• Kerberos Overview
  • Basic Steps
  • Authentication Service (AS)
  • Ticket Granting Service (TGS)
  • Authentication Header (AP)
  • Service Principal Name (SPN)
    • SPN Format
• Where To Start
  • The Logs
  • Example Use Cases & Scenarios
  • Critical Kerberos Events
    • KDC_ERR_PREAUTH_FAILED
    • KDC_ERR_C_PRINCIPAL_UNKNOWN
    • KDC_ERR_CLIENT_REVOKED
    • KDC_ERR_KEY_EXPIRED
    • Weak Ciphers
• Noise Makers
  • Common Events
  • Y2K38 and Weird Timestamps
• Kerberos Event Types
• Kerberos Attacks and Examples
  • Kerberoasting
  • Account Harvesting/Enumerations

Kerberos is an authentication protocol used extensively in many enterprise environments. It is used to verify the identity of a user to a host. Kerberos V5 is the primary authentication protocol for modern Active Directory deployments and can also be used within Unix and Linux infrastructure.

Zeek contains a Kerberos V5 protocol analyzer that exposes how the protocol is being used on networks and is an extremely valuable resource for monitoring and threat hunting within these environments. However, experience has shown that the Kerberos log and analyzer are often underutilized resources for detecting threats.

Kerberos is often misunderstood and can be complicated to implement and maintain. Often new environments use default Kerberos installations with very little tuning or configuration done.

NOTE: The queries and examples shown in this guide are using Zeek 4.0+ versions and/or Corelight. The query examples are using Humio (and therefore, Humio query language). However, the Humio query language is straight-forward and can be easily translated to Elastic, Splunk or your log collection system of choice. None of the Zeek fields have been modified from stock.

If a query is using a Humio aggregation function, that will be explained so an equivalent aggregation can be done on these other platforms.

1. Authentication Service - Request (AS-REQ)
2. Authentication Service - Response (AS-REP)
3. Ticket Granting Service - Request (TGS-REQ)
4. Ticket Granting Service - Response (TGS-REP)
5. Application Server/Authentication Header - Request (AP-REQ)
6. Application Server/Authentication Header - Response (AP-REP)

The client performs the initial authentication (client provided username and password part of AS-REQ) and issues Ticket-Granting-Tickets (TGT) for users in AS-REP (i.e. a ticket that can be used to request Ticket Granting Service(TGS) tickets). Only the KRBTGT service can open and read TGT data. The AS-REQ and AS-REP portion of the Kerberos protocol is detected and analyzed by Zeek. You can find these requests in the request_type field as AS in the kerberos.log log file.

The client now wants to access a Kerberos-enabled resource (such as a file share) on a domain-joined server. The client presents its TGT to the domain controller (KDC) and requests a TGS for a target service (TGS-REQ). If successful, a TGS ticket is enrypted with the target service account password and sent back to the client (TGS-REP).

The TGS-REQ and TGS-REP portion of the Kerberos protocol is detected and analyzed by Zeek. You can find these requests in the request_type field as TGS in the kerberos.log log file. It is this portion of the protocol transaction that you will see Service Principal Name (SPN) data recorded by Zeek (see below).

The client connects to the target server (e.g. file server) and presents the TGS ticket (AP-REQ). If the target server is able to open the ticket using its own service account password, the request is valid and approved. The AP-REP portion of the transaction is optional only used in domains where this is configured.

These messages contain authentication information that should be part of the first message in the authentication transaction to a application server or other Kerberos-enabled service. In Zeek, you will not see these events recorded by default since all of the interesting information in these tickets is encrypted. Events are available in Zeek to use, but additional scripting would be required to expose AP event data.

Another important note: Unless Privilege Attribute Certificate (PAC) validation is enabled in the domain (beyond the scope of this document), the target service will accept the TGS ticket from the client without any additional validation with the domain controller or KDC. This is a source of weakness for attacks such as Kerberoasting. Zeek does not detect or record PAC validation events.

A Service Principal Name (SPN) is used extensively in Kerberos environments to allow clients to uniquely identify instances of services for a given target computer or application service. An SPN always includes the hostname of the target computer on which the service is being offered as well as a Service Class.

SPNs in Zeek are recorded in the service field of the kerberos.log and are a great source of information for monitoring and hunting down all Kerberos-enabled services in your environment, who is using these services and how. In Windows and Active Directory environments, Kerberos-enabled services are plentiful and Kerberos is the default authentication protocol in AD environments.

Format is: serviceclass/host:port servicename

In the SPN, the serviceclass and host fields are mandatory.

A comprehensive lists of known Active Directory SPNs can be found at https://adsecurity.org/?page_id=183 and will not be documented here.

More information on SPNs (including registering and editing) can be found at https://social.technet.microsoft.com/wiki/contents/articles/717.service-principal-names-spn-setspn-syntax.aspx

NOTE: As a reminder, the query examples used in this guide use Humio query syntax. However, the queries are simple and should be easy to convery to your logging tool of choice.

The two request types that you will want to focus on are the AS and TGS Kerberos requests.

#path=kerberos request_type=AS
#path=kerberos request_type=TGS

There are a few key fields in the kerberos.log you will want to pay special attention to:

• error_msg : The Kerberos error message detected in the protocol (if success=false). Reference Kerberos Event Types in this document for a list of those error messages.
• cipher : The encryption cipher used to encrypt the kerberos ticket payloads. Weak ciphers can be easy targets for several Kerberos attacks. Recorded when success=true for TGS events.
• client : Also known as User Principal Name or the username of the requestor. This could either be the account in your Active Directory or some other backend store, such as LDAP. Recorded in both AS and TGS events.
• service : This is the Service Principal Name (SPN). SPNs are identifiers used for accessing services using the service tickets provided by the TGS. SPNs have a particular syntax and are excellent sources of threat hunting information for determining what Kerberos-enabled services are being used on your network and how. Recorded in TGS events.

Related Events: PREAUTH_FAILED

Windows Event IDs: 4771

User principal exists but an invalid password was provided

Recommendations:

Monitor for excessive failures and watch Zeek client and service fields

• Multiple client attempts
• Single client attempts
• Account enumerations (e.g. pattern of KDC_ERR_C_PRINCIPAL_UNKNOWN and KDC_ERR_PREAUTH_FAILED together)

Related Events: CLIENT_NOT_FOUND

Windows Event IDs: 4768

Account/client principal not found in database

Recommendation:

Monitor for excessive unknown events

• Large unknown failures, multiple clients with subsequent KDC_ERR_PREAUTH_REQUIRED
• Account enumerations
• Correlate attacks with KDC_ERR_PREAUTH_FAILED

Related Events: LOCKED OUT, CLIENT_REVOKED Windows Event IDs: 4768, 4769, 4771

Client credentials have been revoked (disabled, expired, locked out)

Recommendations:

Monitor for excessive or sudden revocations:

• Account DoS
• Bruteforcing
• Misconfigured clients or service accounts
• Runaway scripts and jobs
• Logins taking place outside of logon hours. This error is returned by the KDC in AD environments when LogonHours is configured.

Related Events: N/A

Windows Event IDs: 4768, 4769

Client password has expired

Monitor for attempts to use expired credentials

• Misconfigurations
• Service accounts
• Expirations with subsequent, unexpected successes
• Vendor accounts or individuals who have left the organization

Windows Event IDs: 4769, 4770

Various Kerberos attacks take advantage of weaknesses with tickets encrypted with weak ciphers. In particular, the "Kerberoasting" attack involves using a compromised account in the organization to extract service account credentials in the environment without sending any packets to the target service. Service account credentials can be cracked offline by requesting a Kerberos Ticket Granting Service (TGS) ticket for the SPNs registered in the environment. If these tickets are encrypted with weak ciphers and the service account password is weak, offline cracking is possible.

Important points:

• Tickets can be cracked offline without anyone knowing
• Any user authenticated to AD can query for all SPNs in the environment
• Enumeration allows identification of all service accounts supporting and using Kerberos for authentication
• KDC does not track whether the user actually connects to a resource after the TGS has been requested
• AES 128 & 256 encryption became default in Windows Server 2008 and Vista, meaning any modern OS will be encrypting with AES. RC4 and DES requests should be the exception, and sometimes must remain enabled for a application service on a legacy platform not supporting AES.
• Inter-forest Kerberos tickets also use RC4 unless configured to enforce AES. Check your forest trust configurations.

Recommendations:

• Look in Zeek for TGS requests using weak ciphers: [rc4-hmac, rc4-hmac-emp, des-cbc-crc, des-cbc-md5]
• Pay attention to the service field in the TGS request. This will provide the SPN of the application service.
• Ensure service account passwords are longer than 25 characters

Sample Query (Humio)

#path=kerberos request_type=TGS success=true | cipher =~ in(values=["rc4-hmac", "rc4-hmac-emp", "des-cbc-crc", "des-cbc-md5"])

These are Kerberos error events that you may encounter, especially in large environments.

Additional notes about some of the above errors can be found at https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-kerberos-event-logging

If you're not familiar with the Y2K38 problem, refer to this Wikipedia article

On some platforms, there is a bug in the Kerberos library implementation in which clients will request TGS tickets for the maxiumum allowable lifetime until the KDC responds with a valid till. In your logs (and especially in large enviornments), you will see a bizarre timestamp 2037-09-13T02:48:05.000000Z.

This timestamp is often set by clients for TGS requests with a date set far into the future until the KDC completes a TGS-REP with a real expiration time. This date is close to the Y2K38 time limit, which is the limit for 32-bit signed integers still used by operating systems and library implementations for time structures today. The KRB5 implementation in many modern products is still using a 32-bit date structure for Kerberos tickets.

Here is an example kerberos.log event:

{
  "_path": "kerberos",
  "_system_name": “zeek02",
  "_write_ts": "2021-10-12T01:29:17.119252Z",
  "cipher": "aes256-cts-hmac-sha1-96",
  "client": “joey/domain.local",
  "forwardable": true,
  "id.orig_h": "10.25.49.89",
  "id.orig_p": 64514,
  "id.resp_h": "10.11.16.38",
  "id.resp_p": 88,
  "renewable": true,
  "request_type": "TGS",
  "service": "LDAP/AD3.domain.local/domain.local",
  "success": true,
  "till": "2037-09-13T02:48:05.000000Z", <--------- Weird timestamp??
  "ts": "2021-10-12T01:29:17.119252Z",
  "uid": "Cqsvog4izYWRZlrZch"
}

The exact timestamp of 2037-09-13T02:48:05.000000Z (or close to it) is easy to identify and filter in logs. In general, till with the exact above timestamp are safe to ignore and are not indicative of something nefarious. I have often ignored this timestamp in my logs. Be careful however to not ignore other till timestamps with long lifetimes as they can be indicators of an attack (e.g. a ticket lifetime that is beyond your domains configuration standards, such as 10 years).

A great discussion on this topic can be found at zeek/zeek#1112

Additional discussion on this topic can be found in a session presented at DebConf'17 at https://lwn.net/Articles/732794/

This table is provided for reference and similar tables can be found in the links below. This table was included to allow commenting in how these events relate to Zeek monitoring. Briefly, the following fields are:

• Code: This code is often used for determining specific error events in Windows event logs. This code is not exposed in Zeek logs.
• Name: The Kerberos error event string. This string is recorded in Zeek kerberos.log in the error_msg field.
• Description: A brief description of the error (sources from Microsoft article)
• Notes: Notes on the error and additional information as it relates to Zeek or log queries.

4768(S, F): A Kerberos authentication ticket (TGT) was requested.

Kerberos V5 Library Error Codes (MIT)

Kerberos Library Error Codes (Heimdal)

Kerberoasting attack has been detected using valid domain credentials. Adversaries possessing a valid Kerberos ticket-granting ticket (TGT) may request one or more Kerberos ticket-granting service (TGS) service tickets for any SPN from a domain controller (DC). Portions of these tickets may be encrypted with a weak RC4 algorithm, meaning the hash of the service account associated with the SPN is used as the private key and is thus vulnerable to offline Brute Force attacks that may expose plaintext credentials. Some text sourced from T1208 - https://attack.mitre.org/techniques/T1208/

#path=kerberos success=true request_type=TGS !service=/\$/ !client=/\$/ !service=/^krbtgt/
|cipher =~ in(values=["rc4-hmac", "rc4-hmac-emp"])
|splitString(service, by="\/", index=0, as=spn_class)
|groupby(field=[id.orig_h], function=session(maxpause=15m, function=
	[count(service, distinct=true, as=unique_spns),
	count(spn_class, distinct=true, as=spn_classes),
    collect([spn_class], multival=true),
	collect([client]),
	max(@timestamp, as=lts), min(@timestamp, as=fts)]))
|duration := formatTime("%H:%M:%S", field=_duration, locale=en_US, timezone=Z)
|duration_s := formatTime("%s", field=_duration, locale=en_US, timezone=Z)
|first := formatTime("%Y-%m-%d %H:%M:%S", field=fts, locale=en_US, timezone=Z)
|last := formatTime("%Y-%m-%d %H:%M:%S", field=lts, locale=en_US, timezone=Z)
|duration_s <= 300
|unique_spns >= 30
|spn_classes >= 10
|rdns(id.orig_h, as="hostname")
|table([first, last, id.orig_h, hostname, duration, client, unique_spns, spn_classes, spn_class], sortby=unique_spns)

A great resource for a deeper dive into Kerberoasting activity can be found at https://adsecurity.org/?p=3458

Detects when a Kerberos/AD domain user enumeration attack has occurred in a short period of time (more than 100 unique UPN attempts bucketed by 15 minute sessions). These requests are invalid and contain a large number of unknown client principals and client revoked events. Note the detect duration with associated first and last seen timestamps.

#path=kerberos request_type success=false !client=/\$/ !error_msg="KDC_ERR_PREAUTH_REQUIRED"
|groupby(field=id.orig_h, function=session(maxpause=15m, function=
	[count(client, distinct=true, as=unique_upns),
	count(error_msg, distinct=true, as=unique_errors),
	collect([error_msg], multival=true), 
	max(@timestamp, as=lts), min(@timestamp, as=fts)]))
|duration := formatTime("%H:%M:%S", field=_duration, locale=en_US, timezone=Z)
|duration_s := formatTime("%s", field=_duration, locale=en_US, timezone=Z)
|first := formatTime("%Y-%m-%d %H:%M:%S", field=fts, locale=en_US, timezone=Z)
|last := formatTime("%Y-%m-%d %H:%M:%S", field=lts, locale=en_US, timezone=Z)
|unique_upns >= 100
|duration_s <= 300
|replace("\s+", with=", ", field=error_msg, as=errors)
|rdns(id.orig_h, as="hostname")
|table([first, last, id.orig_h, hostname, duration, client, unique_upns, unique_errors, errors], sortby=unique_upns)

More to come