RP0002: Domain user enumarate attack using the Kerberos protocol without a domain account
Summary
| ID | RP0002 |
|---|---|
| Brief Description | Response playbook for domain user enumarate attack using the Kerberos protocol without a domain account |
| Author | @ERMACK_COMMUNITY |
| Creation Date | 2023/03/12 |
| Modification Date | 2023/03/14 |
| Tags |
|
| Usecases |
Description
Attackers may attempt to enumerate domain users using this attack. Successfully listed users are likely to be attacked, such as password spraying or other
Workflow
- On identification stage need find host or hosts from which the attack occur. This is can be hosts with suspicious external network connections or attackers footprints (such as attack tools). This is can be IP Addreses with many KRB_AS_REQ messages without pre-authentication and with atypical usernames for this IP Address or non-existent username
- On identification stage need find domain account usernames which success enumed. This is usernames on which authorization service returned KDC_ERR_PREAUTH_REQUIRED message
- After the successfully enumerated users have been found, put this accounts on monitoring
- After the compromised hosts have been found, go to Compromised Host Response Playbook
- Save all timestamps of implemented actions in Incident Report draft on the fly, it will save a lot of time
Response discovery mapping
| ARTIFACT | RESPONSE ACTION | RESPONSE ACTION OBSERVABLES |
|---|---|---|
| Domain account username | Find the usernames to which the Authentication service returned KDC_ERR_PREAUTH_REQUIRED message. Check that these accounts have not been compromised | Enumed usernames |
| Host | Look on hosts with suspicious activity (attack tools to carry out an attack or suspicious external network connections) and go to Compromised Host response playbook | Host from which the attack is being carried out (potentially) |
| IP Address | Look on IP Address with suspicious network activity (KRB_AS_REQ messages without pre-authentication and with atypical usernames for this IP Address or non-existent username) and go to Compromised Host response playbook | IP address from which the attack is being carried out (potentially) |
| Kerberos network traffic | Look on suspiciously large number KRB_AS_REQ messages without pre-authentication and KDC_ERR_C_PRINCIPAL_UNKNOWN messages. Spot host from with sends this message and go to Compromised Host | IP address from which the attack is being carried out (potentially) |
Playbook Actions
Preparation
Operational Preparations
Access Internal Network Flow Logs
Access Internal Packet Capture Data
Get Ability To Block Internal Ip Address
Get Ability To Block Internal Url
Get Ability To Block User Internal Communication
Get Ability To Find Data Transferred By Content Pattern
Get Ability To List Data Transferred
Get Ability To Collect Transferred Data
Get Ability To Identify Transferred Data
Identification
[Unimplemented] RA_2004_find_compromised_host
Find successfully enumerated users
Put Compromised Accounts On Monitoring
Containment
[Unimplemented] RP_1005_compromised_host
Lessons Learned
Develop Incident Report
Conduct Lessons Learned Exercise