Triggers
- A Kerberos client attempts a suspicious amount of authentication requests using a large number of user accounts with many of them failing as a result of non-existent accounts
Possible Root Causes
- The internal Kerberos client is part of targeted attack which aims to spread horizontally within the network by first discovering the existence of user accounts and then stealing the account’s credentials or Kerberos tickets
- A client is initiating a large number of authentication attempts with many of them failing
Business Impact
- An account scan to a Kerberos or Active Directory server is an effective way for an attacker to determine what accounts are available inside an organization’s network
- Reconnaissance within a network is a precursor to active attacks which ultimately exposes an organization to substantial risk of data acquisition and exfiltration
- This form of reconnaissance is often a lot less noticeable than a port sweep or a port scan so attackers feel they can use it with relatively little risk of detection
Steps to Verify
- Examine the Kerberos or Active Directory server logs for a more detailed view of activity by this host
- Inquire whether the host should be utilizing the user accounts listed in the detection
- Verify that the host on which authentication is attempted is not a shared resource as this could generate a sufficient variety of authentications to resemble an account scan