Kerberos Cached Credentials Dumping
Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/08/14"
3integration = ["endpoint"]
4maturity = "production"
5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
6min_stack_version = "8.3.0"
7updated_date = "2023/06/22"
8
9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries
13may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Kerberos Cached Credentials Dumping"
20references = [
21 "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
22 "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html",
23]
24risk_score = 73
25rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe"
26severity = "high"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process and host.os.type:macos and event.type:(start or process_started) and
33 process.name:kcc and
34 process.args:copy_cred_cache
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1003"
42name = "OS Credential Dumping"
43reference = "https://attack.mitre.org/techniques/T1003/"
44
45[[rule.threat.technique]]
46id = "T1558"
47name = "Steal or Forge Kerberos Tickets"
48reference = "https://attack.mitre.org/techniques/T1558/"
49[[rule.threat.technique.subtechnique]]
50id = "T1558.003"
51name = "Kerberoasting"
52reference = "https://attack.mitre.org/techniques/T1558/003/"
53
54
55
56[rule.threat.tactic]
57id = "TA0006"
58name = "Credential Access"
59reference = "https://attack.mitre.org/tactics/TA0006/"
References
Related rules
- Access of Stored Browser Credentials
- Access to Keychain Credentials Directories
- Dumping Account Hashes via Built-In Commands
- Dumping of Keychain Content via Security Command
- Keychain Password Retrieval via Command Line