A malicious user has acquired a Ticket Granting Service from the domain controller using a valid user's Ticket Granting Ticket in a Kerberoasting attack. He exhorted the TGS tickets from memory for offline cracking. But the attacker was stopped before he could complete his attack. The system administrator needs to investigate and remediate the potential breach. What should be the immediate step the system administrator takes?
Correct is C: o As the attacker already extracted TGS ticket from memory, the attack continues as follows: 1. Perform Offline Brute-Force on the Ticket • Since the TGS ticket is encrypted with the service account’s NTLM hash, the attacker cracks it offline using Hashcat or John the Ripper. 2. Obtain the Service Account’s Cleartext Password • Once cracked, the attacker can authenticate as the service account, potentially escalating to domain admin. o So the password of service account (which are usually targets of this attack) is the main goal of the attacker. o We need to change NTLM password (i. e. account password... which also changes the NTLM hash as it is derived from the password) to avoid attacker accessing the service account with password from the cracked NTLM hash, which he/she already has.
Incorrect: A) and D) – It’s too late for clearing the memory (A) and invalidating TGS tiket (D) as the attacker already has the TGS ticket containing service account’s NTLM hash. B) – Delete compromiesed USER account – INCORRECT as the compromised USER account is not target of this attack (it has usually low privileges, so attacker is looking for service accounts with higher priv.). USER account has been already compromised (i. e. attacker already has credentials) and utilized it for obtaining TGS of service account with higher privileges.
A Kerberoasting attack involves an attacker obtaining a Ticket Granting Service (TGS) ticket from memory and attempting to crack it offline to extract the service account’s password hash. Since the attacker was stopped before completing the attack, the immediate remediation step should focus on preventing further exploitation.
D. Invalidate the TGS the attacker acquired. By invalidating the Ticket Granting Service (TGS) tickets, the system administrator ensures that the attacker cannot use the stolen tickets for further malicious activities. This action effectively renders the stolen tickets useless, even if the attacker attempts to crack them offline later.
A Kerberoasting attack is a technique that exploits the Kerberos authentication protocol to obtain the password hash of a service account that has a Service Principal Name (SPN). An attacker can request a service ticket (TGS) for the SPN using a valid user's ticket (TGT) and then attempt to crack the password hash offline. To prevent the attacker from using the TGS to access the service, the system administrator should invalidate the TGS as soon as possible. This can be done by changing the password of the service account, which will generate a new password hash and render the old TGS useless. Alternatively, the system administrator can use tools like Mimikatz to purge the TGS from the memory of the domain controller or the client system.