๐ Secure Bits ๐ก
๐๐ผ ๐๐ผ๐ ๐ธ๐ป๐ผ๐ ๐ต๐ผ๐ ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ฎ๐๐๐ถ๐ป๐ด ๐๐ผ๐ฟ๐ธ๐?
If you manage Active Directory, you absolutely should โ because ๐ฎ๐ป๐ ๐ฑ๐ผ๐บ๐ฎ๐ถ๐ป ๐๐๐ฒ๐ฟ ๐ฐ๐ฎ๐ป ๐ฝ๐ฒ๐ฟ๐ณ๐ผ๐ฟ๐บ ๐ถ๐.
As the name implies, the attack targets the ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ย authentication protocol.
Whenever an account has a ๐ฆ๐ฒ๐ฟ๐๐ถ๐ฐ๐ฒ ๐ฃ๐ฟ๐ถ๐ป๐ฐ๐ถ๐ฝ๐ฎ๐น ๐ก๐ฎ๐บ๐ฒ (๐ฆ๐ฃ๐ก) (like HOST/SERVER01), you can request a ๐ง๐๐ฆย ticket for it. This ticket is partially ๐ฒ๐ป๐ฐ๐ฟ๐๐ฝ๐๐ฒ๐ฑ ๐๐๐ถ๐ป๐ด ๐๐ต๐ฒ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ of the account tied to that SPN.
That TGS ticket you just requested?
โก๏ธย Youโre now holding a blob of data thatโs ๐ฒ๐ป๐ฐ๐ฟ๐๐ฝ๐๐ฒ๐ฑ ๐๐ถ๐๐ต ๐๐ผ๐บ๐ฒ๐ผ๐ป๐ฒ ๐ฒ๐น๐๐ฒโ๐ ๐ฝ๐ฎ๐๐๐๐ผ๐ฟ๐ฑ (key derived from the password). If that password is weak, you can start brute-forcing it offline. Thatโs ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ฎ๐๐๐ถ๐ป๐ด.
And in many environments?
Itโs a 10-year-old service account, still active, part of Domain Admins, with a weak password.
๐ Thatโs a ๐ฑ๐ถ๐ฟ๐ฒ๐ฐ๐ ๐ฝ๐ฟ๐ถ๐๐ถ๐น๐ฒ๐ด๐ฒ ๐ฒ๐๐ฐ๐ฎ๐น๐ฎ๐๐ถ๐ผ๐ป path from standard user to full domain control.
๐ช๐ต๐ฎ๐ ๐ฐ๐ฎ๐ป ๐๐ผ๐ ๐ฑ๐ผ?
โ
Use MSA/gMSA/DMSA wherever possible.
โ
Avoid standard user accounts for services.
If you really need to use a standard user account (it happens, I know):
โ
Apply Fine-Grained Password Policies โ for example, in the Czech Republic, the law requires technical accounts to have complex 22+ character passwords.
โ
Authentication Policies – I will explain these in the future ๐
Want to dive deeper into Kerberos ?
I cover it in my ๐๐ฒ๐ฟ๐ฏ๐ฒ๐ฟ๐ผ๐ ๐ฐ๐ผ๐๐ฟ๐๐ฒ, ๐๐ต๐ถ๐ฐ๐ต ๐ถ๐ ๐ญ๐ฌ๐ฌ% ๐ณ๐ฟ๐ฒ๐ฒ and part of my Academy.
๐ How do you secure your service accounts? Are you aware of all of them?
