Defending the Three Headed Relay

Introduction

Kerberos Relay Explained

Potential Attack Paths with Kerberos Relay

  1. The protocol used to trigger the authentication from the victim client
  2. The protocol used by the service the authentication is being relayed to
  • IPSec and AuthIP
  • MSRPC
  • DCOM
  • HTTP
  • LLMNR
  • MDNS
  • LDAP/LDAPS
  • HTTP
  • SMB

Detecting Kerberos Relay

  • Gain access to a domain user
  • Compromise/obtain a foothold on a box
  • Run a LDAP query for reconnaissance
  • Escalate to a local administrator/High IL
  • Kerberoast
  • Dump LSASS
  • Access Token Impersonation
  • Logs on as user
  • Impersonates user

Detection Queries

  • Initial domain user foothold (No detection added as there are so many options)
  • LDAP queries to identify potential SPNs available
  • Computer account added via LDAP (Using Microsoft Defender for Endpoint DeviceEvents)
DeviceEvents
| where ActionType contains “LdapSearch” and (InitiatingProcessParentFileName !has (“services.exe”) or InitiatingProcessAccountName !in (“local service”, “system”))
| extend SearchFilter= extractjson(“$.SearchFilter”, AdditionalFields)
| where SearchFilter contains “sAMAccountName” and SearchFilter contains “$”
| summarize count() by Timestamp, InitiatingProcessAccountName,InitiatingProcessParentFileName, InitiatingProcessFileName, SearchFilter, InitiatingProcessCommandLine, AdditionalFields, InitiatingProcessLogonId
  • Computer Account added via Splunk and Window Security Event ID 4741:
index=windows sourcetype=Security EventCode=4741 AND SAM_Account_Name = “*$”
index=windows (EventCode=4741 MSADChangedAttributes=*(*HOST/*) AND *(*RestrictedKrbHost/*) New_UAC_Value=0x80) OR (EventCode=4673 Privileges=SeMachineAccountPrivilege) 
| eventstats values(Process_Name),values(Privileges),values(EventCode) as EventCode by Logon_ID
| search EventCode=4741
| rex field=_raw “(Message=(?<Message>[a-zA-z ].*))”
| eval datetime=strftime(_time, “%m-%d-%Y %H:%M:%S.%Q”)
| stats count values(datetime),values(Process_Name),values(Privileges),values(EventCode),values(MSADChangedAttributes),values(Message),values(Account_Domain),values(Security_ID),values(SAM_Account_Name),values(DNS_Host_Name) by Logon_ID
| search count >=2
| rename values(*) as *
| eval Effecting_Account=mvindex(Security_ID,1)
| eval New_Computer_Account_Name=mvindex(Security_ID,0)
| table datetime,Account_Domain,Effecting_Account,Logon_ID,New_Computer_Account_Name,DNS_Host_Name,Message,MSADChangedAttributes,Process_Name,Privileges,EventCode
  • DCOM Server connection with TCP connection to localhost (Using Splunk and Window Security Event ID 5156):
index=windows sourcetype=Security EventCode=5156 Direction=Inbound AND Source_Address=::1 AND Destination_Address=::1 AND Process_ID !=4 AND Protocol=6
  • RBCD Exploitation (Using Splunk and Window Security Event ID 5136/4768/4769)
index=windows sourcetype=”Security” ((EventCode=5136 AND “msDS-AllowedToActOnBehalfOfOtherIdentity”) AND (Type=”Value Added” OR Type=”Value Deleted”)) OR EventCode=4768 OR EventCode=4769 
| eval alt_type=mvindex(Type,2)
| eval datetime=strftime(_time, “%m-%d-%Y %H:%M:%S.%Q”)
| bucket _time span=11m
| stats dc(EventCode) as eventcodes,values(EventCode),values(datetime),values(LDAP_Display_Name),values(host),values(Account_Domain),values(Client_Address),values(Service_Name),values(Service_ID),values(Ticket_Options),values(Class),values(Ticket_Encryption_Type),values(alt_type) by _time
| rename values(*) as *
| where eventcodes >=3
| table _time,datetime,host,Account_Domain,Client_Address,Service_Name,Service_ID,Ticket_Options,Ticket_Encryption_Type,Class,LDAP_Display_Name,alt_type,EventCode,eventcodes

Mitigations

  1. Limit MAQ attribute and/or restrict the SeMachineAccountPrivilege to a specific group rather than Authenticated Users
  2. Extended Protection for Authentication (EPA)/Protocol Signing/Sealing and Channel Binding
  3. Disabling mDNS/LLMNR
  4. Require authenticated IPsec/IKEv2
  5. Disabling Disable NTLM

Conclusion

References

--

--

--

Sr. Threat Researcher @ RedCanary

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Cribbage Calculator Hack Free Resources Generator

{UPDATE} NOX – Escape Games Hack Free Resources Generator

Regulation — a key milestone in digital evolution

A Complete Guide to Build a Fraud Team from Scratch

Giza DAO Governance

Q&A: Data Protection Impact Assessment, or DPIA

Quick Overview of some Cyber Threat Risk Mitigation Strategies

28 Dec ’20: Responsible Tech Bulletin

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Johnson

Jonathan Johnson

Sr. Threat Researcher @ RedCanary

More from Medium

What’s Wrong with SIEM? And How You Might Be Missing Out on Its Advantages

Certifried: Active Directory Domain Privilege Escalation (CVE-2022–26923)

Use Sentinel Basic and Archive logs

BPFDoor — an active Chinese global surveillance tool