Esc
Kerberoasting - T1558.003
(ATT&CK® Technique)
Definition
Service Provider Name (SPN) scanning is one way to gather hashes, which results in RPC calls conforming to the NSPI protocol.
D3FEND Inferred Relationships
Browse the D3FEND knowledge graph by clicking on the nodes below.
graph LR;
T1558003["Kerberoasting"] --> |may-produce| RPCNetworkTraffic["RPC Network Traffic"]; class T1558003 OffensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode; click RPCNetworkTraffic href "/dao/artifact/d3f:RPCNetworkTraffic";
click T1558003 href "/offensive-technique/attack/T1558.003/"; click RPCNetworkTraffic href "/dao/artifact/d3f:RPCNetworkTraffic"; T1558003["Kerberoasting"] --> |may-access| KerberosTicket["Kerberos Ticket"]; class T1558003 OffensiveTechniqueNode;
class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
click T1558003 href "/offensive-technique/attack/T1558.003/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; T1558003["Kerberoasting"] --> |may-create| KerberosTicket["Kerberos Ticket"]; class T1558003 OffensiveTechniqueNode;
class KerberosTicket ArtifactNode; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket";
click T1558003 href "/offensive-technique/attack/T1558.003/"; click KerberosTicket href "/dao/artifact/d3f:KerberosTicket"; NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
NetworkTrafficCommunityDeviation["Network Traffic Community Deviation"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class NetworkTrafficCommunityDeviation DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click NetworkTrafficCommunityDeviation href "/technique/d3f:NetworkTrafficCommunityDeviation"; RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
RemoteTerminalSessionDetection["Remote Terminal Session Detection"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class RemoteTerminalSessionDetection DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click RemoteTerminalSessionDetection href "/technique/d3f:RemoteTerminalSessionDetection"; RPCTrafficAnalysis["RPC Traffic Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
RPCTrafficAnalysis["RPC Traffic Analysis"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class RPCTrafficAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click RPCTrafficAnalysis href "/technique/d3f:RPCTrafficAnalysis"; NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
NetworkTrafficSignatureAnalysis["Network Traffic Signature Analysis"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class NetworkTrafficSignatureAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click NetworkTrafficSignatureAnalysis href "/technique/d3f:NetworkTrafficSignatureAnalysis"; Client-serverPayloadProfiling["Client-server Payload Profiling"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
Client-serverPayloadProfiling["Client-server Payload Profiling"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class Client-serverPayloadProfiling DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click Client-serverPayloadProfiling href "/technique/d3f:Client-serverPayloadProfiling"; ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
ProtocolMetadataAnomalyDetection["Protocol Metadata Anomaly Detection"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class ProtocolMetadataAnomalyDetection DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click ProtocolMetadataAnomalyDetection href "/technique/d3f:ProtocolMetadataAnomalyDetection"; PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
PerHostDownload-UploadRatioAnalysis["Per Host Download-Upload Ratio Analysis"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class PerHostDownload-UploadRatioAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click PerHostDownload-UploadRatioAnalysis href "/technique/d3f:PerHostDownload-UploadRatioAnalysis"; UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -->
| analyzes | RPCNetworkTraffic["RPC Network Traffic"];
UserGeolocationLogonPatternAnalysis["User Geolocation Logon Pattern Analysis"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class UserGeolocationLogonPatternAnalysis DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click UserGeolocationLogonPatternAnalysis href "/technique/d3f:UserGeolocationLogonPatternAnalysis"; CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -->
| analyzes | KerberosTicket["Kerberos Ticket"];
CredentialCompromiseScopeAnalysis["Credential Compromise Scope Analysis"] -.->
| may-detect | T1558003["Kerberoasting"] ;
class CredentialCompromiseScopeAnalysis DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialCompromiseScopeAnalysis href "/technique/d3f:CredentialCompromiseScopeAnalysis"; AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -->
| deletes | KerberosTicket["Kerberos Ticket"];
AuthenticationCacheInvalidation["Authentication Cache Invalidation"] -.->
| may-evict | T1558003["Kerberoasting"] ;
class AuthenticationCacheInvalidation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click AuthenticationCacheInvalidation href "/technique/d3f:AuthenticationCacheInvalidation"; DecoyUserCredential["Decoy User Credential"] -->
| spoofs | KerberosTicket["Kerberos Ticket"];
DecoyUserCredential["Decoy User Credential"] -.->
| may-deceive | T1558003["Kerberoasting"] ;
class DecoyUserCredential DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click DecoyUserCredential href "/technique/d3f:DecoyUserCredential"; NetworkTrafficFiltering["Network Traffic Filtering"] -->
| filters | RPCNetworkTraffic["RPC Network Traffic"];
NetworkTrafficFiltering["Network Traffic Filtering"] -.->
| may-isolate | T1558003["Kerberoasting"] ;
class NetworkTrafficFiltering DefensiveTechniqueNode;
class RPCNetworkTraffic ArtifactNode;
click NetworkTrafficFiltering href "/technique/d3f:NetworkTrafficFiltering"; CredentialRevocation["Credential Revocation"] -->
| deletes | KerberosTicket["Kerberos Ticket"];
CredentialRevocation["Credential Revocation"] -.->
| may-evict | T1558003["Kerberoasting"] ;
class CredentialRevocation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialRevocation href "/technique/d3f:CredentialRevocation"; CredentialRotation["Credential Rotation"] -->
| regenerates | KerberosTicket["Kerberos Ticket"];
CredentialRotation["Credential Rotation"] -.->
| may-harden | T1558003["Kerberoasting"] ;
class CredentialRotation DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialRotation href "/technique/d3f:CredentialRotation"; TokenBinding["Token Binding"] -->
| strengthens | KerberosTicket["Kerberos Ticket"];
TokenBinding["Token Binding"] -.->
| may-harden | T1558003["Kerberoasting"] ;
class TokenBinding DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click TokenBinding href "/technique/d3f:TokenBinding"; Multi-factorAuthentication["Multi-factor Authentication"] -->
| uses | KerberosTicket["Kerberos Ticket"];
Multi-factorAuthentication["Multi-factor Authentication"] -.->
| may-harden | T1558003["Kerberoasting"] ;
class Multi-factorAuthentication DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click Multi-factorAuthentication href "/technique/d3f:Multi-factorAuthentication"; Token-basedAuthentication["Token-based Authentication"] -->
| uses | KerberosTicket["Kerberos Ticket"];
Token-basedAuthentication["Token-based Authentication"] -.->
| may-harden | T1558003["Kerberoasting"] ;
class Token-basedAuthentication DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click Token-basedAuthentication href "/technique/d3f:Token-basedAuthentication"; CredentialTransmissionScoping["Credential Transmission Scoping"] -->
| isolates | KerberosTicket["Kerberos Ticket"];
CredentialTransmissionScoping["Credential Transmission Scoping"] -.->
| may-isolate | T1558003["Kerberoasting"] ;
class CredentialTransmissionScoping DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialTransmissionScoping href "/technique/d3f:CredentialTransmissionScoping"; ReissueCredential["Reissue Credential"] -->
| restores | KerberosTicket["Kerberos Ticket"];
ReissueCredential["Reissue Credential"] -.->
| may-restore | T1558003["Kerberoasting"] ;
class ReissueCredential DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click ReissueCredential href "/technique/d3f:ReissueCredential"; CredentialHardening["Credential Hardening"] -->
| hardens | KerberosTicket["Kerberos Ticket"];
CredentialHardening["Credential Hardening"] -.->
| may-harden | T1558003["Kerberoasting"] ;
class CredentialHardening DefensiveTechniqueNode;
class KerberosTicket ArtifactNode;
click CredentialHardening href "/technique/d3f:CredentialHardening";