Kerberos Cached Credentials Dumping

Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/08/14"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries
13may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.
14"""
15from = "now-9m"
16index = ["auditbeat-*", "logs-endpoint.events.*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Kerberos Cached Credentials Dumping"
20references = [
21    "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
22    "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html",
23]
24risk_score = 73
25rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe"
26severity = "high"
27tags = ["Domain: Endpoint", "OS: macOS", "Use Case: Threat Detection", "Tactic: Credential Access", "Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.category:process and host.os.type:macos and event.type:(start or process_started) and
33  process.name:kcc and
34  process.args:copy_cred_cache
35'''
36
37
38[[rule.threat]]
39framework = "MITRE ATT&CK"
40[[rule.threat.technique]]
41id = "T1003"
42name = "OS Credential Dumping"
43reference = "https://attack.mitre.org/techniques/T1003/"
44
45[[rule.threat.technique]]
46id = "T1558"
47name = "Steal or Forge Kerberos Tickets"
48reference = "https://attack.mitre.org/techniques/T1558/"
49[[rule.threat.technique.subtechnique]]
50id = "T1558.003"
51name = "Kerberoasting"
52reference = "https://attack.mitre.org/techniques/T1558/003/"
53
54
55
56[rule.threat.tactic]
57id = "TA0006"
58name = "Credential Access"
59reference = "https://attack.mitre.org/tactics/TA0006/"

References

Related rules

to-top