Active Directory Kerberoasting Attack: Monitoring and Detection Techniques

Lukáš Kotlaba, Simona Buchovecká, Róbert Lórencz

2020

Abstract

The paper focus is the detection of Kerberoasting attack in Active Directory environment. The purpose of the attack is to extract service accounts’ passwords without need for any special user access rights or privilege escalation, which makes it suitable for initial phases of network compromise and further pivot for more interesting accounts. The main goal of the paper is to discuss the monitoring possibilities, setting up detection rules built on top of native Active Directory auditing capabilities, including possible ways to minimize false positive alerts.

Download


Paper Citation


in Harvard Style

Kotlaba L., Buchovecká S. and Lórencz R. (2020). Active Directory Kerberoasting Attack: Monitoring and Detection Techniques. In Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, ISBN 978-989-758-399-5, pages 432-439. DOI: 10.5220/0008955004320439


in Bibtex Style

@conference{icissp20,
author={Lukáš Kotlaba and Simona Buchovecká and Róbert Lórencz},
title={Active Directory Kerberoasting Attack: Monitoring and Detection Techniques},
booktitle={Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,},
year={2020},
pages={432-439},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0008955004320439},
isbn={978-989-758-399-5},
}


in EndNote Style

TY - CONF

JO - Proceedings of the 6th International Conference on Information Systems Security and Privacy - Volume 1: ICISSP,
TI - Active Directory Kerberoasting Attack: Monitoring and Detection Techniques
SN - 978-989-758-399-5
AU - Kotlaba L.
AU - Buchovecká S.
AU - Lórencz R.
PY - 2020
SP - 432
EP - 439
DO - 10.5220/0008955004320439