CAPEC-645
Use of Captured Tickets (Pass The Ticket)
Bas
Haute
Stable
2018-07-31
00h00 +00:00
00h00 +00:00
2020-07-30
00h00 +00:00
00h00 +00:00
Alerte pour un CAPEC
Restez informé de toutes modifications pour un CAPEC spécifique.
Descriptions du CAPEC
An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.
Informations du CAPEC
Conditions préalables
The adversary needs physical access to the victim system.The use of a third-party credential harvesting tool.
Compétences requises
Determine if Kerberos authentication is used on the server.The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.
Atténuations
Reset the built-in KRBTGT account password twice to invalidate the existence of any current Golden Tickets and any tickets derived from them.Monitor system and domain logs for abnormal access.
Faiblesses connexes
| Nom de la faiblesse | |
|---|---|
CWE-522 |
Insufficiently Protected Credentials The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
CWE-294 |
Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
CWE-308 |
Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
Références
REF-584
BRONZE BUTLER Targets Japanese Enterpriseshttps://www.secureworks.com/research/bronze-butler-targets-japanese-businesses
Soumission
| Nom | Organisation | Date | Date de publication |
|---|---|---|---|
| CAPEC Content Team |
Modifications
| Nom | Organisation | Date | Commentaire |
|---|---|---|---|
| CAPEC Content Team | The MITRE Corporation | Updated Description, Example_Instances, References, Related_Attack_Patterns, Related_Weaknesses, Taxonomy_Mappings |
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC)
sont maintenues par MITRE Corporation, et les informations sur les configurations
logicielles et matérielles (CPE) proviennent du NVD.