Detecting Kerberoasting activity using Azure Security Centre

Moti Bani February 23, 2018

Kerberoasting, a term coined by Tim Medin, is a privilege escalation technique which proves to be very effective in extracting service account credentials in a domain environment.  A service account is standard user account that has been configured with the specific task of running a service or scheduled task.

Many organisations are using service accounts with weak passwords that never expired, and usually these accounts enjoy excessive privileges (local administrator or domain administrator). And last but not least, actions taken by service accounts are not sufficiently audited in most environments.

If you’re new to Kerberoasting and want to learn more, I recommend any of the following resources:

Kerberoasting Detection

Now, how to detect Kerberoasting activity in your network? We can enable “Audit Kerberos Service Ticket Operations” in advanced audit policy and the Domain Controllers will start to log TGS requests.

But it is not enough, detection of Kerberoasting can be challenging because requesting service tickets happens regularly as users are accessing resources in the domain. Sean Metcalf did some research and discovered that Kerberoasting activity has some unique indicators we can leverage:

  • Excessive requests to different resources with small time difference (second or two)
  • Kerberos TGS service tickets are requested with RC4 encryption (Type 0x17)

By collecting and analysing security events in Azure Security Centre, you can detect attacks. To enable these detections, you must have:

  1. Azure subscription and Azure Security Centre enabled for the domain controllers
  2. Enable collection of security event data in your Log Analytics workspace
  3. Define custom alerts in Security Centre

Azure Security Centre provides advanced threat protection across hybrid cloud workloads. Among other features such as security assessments and threat intelligence customers can use data collection, search, and analysis (from both cloud and on-premise resources)

The ability to detect advanced attacks is certainly valuable. However, the easiest way to prevent these attacks is to simply use secure practices for handling service accounts:

  • Use complex and long passwords for service accounts, and rotate them frequently
  • Better option, if feasible, is to use Group Managed Service Accounts – random and complex passwords that can be automatically rotated by Active Directory

Contact Tests Technologies today to discuss options for securing your IT Systems with Microsoft Azure Security Centre.