Credential theft and reuse attacks continue to be top of mind for many of the CISOs I have talked to recently. We have discussed this topic several times in the past:
Although pass-the-hash credential theft and reuse attacks aren’t new, more recently security researchers have been focusing on attack methods for Kerberos authentication. Kerberos authentication is achieved by the use of tickets enciphered with a symmetric key derived from the password of the server or service to which access is requested. To request such a session ticket, a special ticket, called the Ticket Granting Ticket (TGT) must be presented to the Kerberos service. The TGT is enciphered with a key derived from the password of the krbtgt account, which is known only by the Kerberos service[i].
A stolen krbtgt account password can wreak havoc on an organization because it can be used to impersonate authentication throughout the organization thereby giving an attacker access to sensitive data.
One way to help mitigate the risk of a bad actor using a compromised krbtgt key to forge user tickets is by periodically resetting the krbtgt account password. Resetting this password on a regular basis reduces the useful lifetime of krbtgt keys, in case one or more of them is compromised.
Today we are sharing the krbtgt account password reset script and associated guidance that will enable customers to interactively reset and validate replication of the krbtgt account keys on all writable domain controllers in the domain. By providing this script and associated guidance, we hope to help customers perform the reset in a way which reduces the likelihood of authentication errors caused by delayed distribution of the new krbtgt account keys in their environment.
The Reset-KrbtgtKeyInteractive-v1.4 enables customers to:
- Perform a single reset of the krbtgt account password (it can be run multiple times for subsequent resets).
- Validate that all writable DC’s in the domain have replicated the keys derived from the new password, so they are able to begin using the new keys.
The krbtgt account password reset script guide includes detailed information on how to use the reset script and its three modes- Informational, Estimation Mode, and Reset and offers:
- A step-by-step list of tasks associated with performing the krbtgt account password reset.
- Information for customers wishing to invalidate all existing TGTs by performing a double reset of the krbtgt account secret during a comprehensive Active Directory recovery.
We’ve also provided a detailed guide which helps system administrators understand the required tasks, impact to the organization, schedule and timeline, and other considerations. Together, this combination covers necessary tasks, tests, and validations that should be performed before and after the reset.
It is important to remember that resetting the krbtgt is only one part of a recovery strategy and alone will likely not prevent a previously successful attacker from obtaining unauthorized access to a compromised environment in the future. We strongly advise that customers create a comprehensive recovery plan using guidance found in the Mitigating Pass-the-Hash and Other Credential Theft, version 2.
[i] https://technet.microsoft.com/en-us/library/cc733924(v=ws.10).aspx