Kerberos Cached Credentials Dumping

  1[metadata]
  2creation_date = "2020/08/14"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/03/18"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the use of the Kerberos credential cache (kcc) utility to dump locally cached Kerberos tickets. Adversaries
 11may attempt to dump credential material in the form of tickets that can be leveraged for lateral movement.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "eql"
 16license = "Elastic License v2"
 17name = "Kerberos Cached Credentials Dumping"
 18references = [
 19    "https://github.com/EmpireProject/EmPyre/blob/master/lib/modules/collection/osx/kerberosdump.py",
 20    "https://opensource.apple.com/source/Heimdal/Heimdal-323.12/kuser/kcc-commands.in.auto.html",
 21]
 22risk_score = 73
 23rule_id = "ad88231f-e2ab-491c-8fc6-64746da26cfe"
 24setup = """## Setup
 25
 26This rule requires data coming in from Elastic Defend.
 27
 28### Elastic Defend Integration Setup
 29Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 30
 31#### Prerequisite Requirements:
 32- Fleet is required for Elastic Defend.
 33- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 34
 35#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 36- Go to the Kibana home page and click "Add integrations".
 37- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 38- Click "Add Elastic Defend".
 39- Configure the integration name and optionally add a description.
 40- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 41- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 42- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 43- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 44For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 45- Click "Save and Continue".
 46- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 47For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 48"""
 49severity = "high"
 50tags = [
 51    "Domain: Endpoint",
 52    "OS: macOS",
 53    "Use Case: Threat Detection",
 54    "Tactic: Credential Access",
 55    "Data Source: Elastic Defend",
 56    "Resources: Investigation Guide",
 57]
 58timestamp_override = "event.ingested"
 59type = "eql"
 60
 61query = '''
 62process where host.os.type == "macos" and event.type in ("start", "process_started") and
 63  process.name == "kcc" and
 64  process.args like~ "copy_cred_cache"
 65'''
 66note = """## Triage and analysis
 67
 68> **Disclaimer**:
 69> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 70
 71### Investigating Kerberos Cached Credentials Dumping
 72
 73Kerberos is a network authentication protocol designed to provide secure identity verification for users and services. It uses tickets to allow nodes to prove their identity in a secure manner. Adversaries may exploit tools like the Kerberos credential cache utility to extract these tickets, enabling unauthorized access and lateral movement within a network. The detection rule identifies suspicious activity by monitoring for specific processes and arguments on macOS systems, flagging potential credential dumping attempts.
 74
 75### Possible investigation steps
 76
 77- Review the alert details to confirm the presence of the process name 'kcc' and the argument 'copy_cred_cache' in the process execution logs on macOS systems.
 78- Identify the user account associated with the process execution to determine if the activity aligns with expected behavior or if it indicates potential unauthorized access.
 79- Examine the timeline of the process execution to identify any preceding or subsequent suspicious activities, such as unusual login attempts or lateral movement within the network.
 80- Check for any other alerts or logs related to the same host or user account to assess if this is part of a broader attack pattern.
 81- Investigate the source and destination of any network connections made by the process to identify potential data exfiltration or communication with known malicious IP addresses.
 82- Consult with the user or system owner to verify if the use of the 'kcc' utility was legitimate or if it requires further investigation.
 83
 84### False positive analysis
 85
 86- Routine administrative tasks using the kcc utility may trigger the rule. Identify and document these tasks to create exceptions for known benign activities.
 87- Automated scripts or maintenance processes that involve copying Kerberos credential caches can be mistaken for malicious activity. Review and whitelist these scripts if they are verified as safe.
 88- Developers or IT personnel testing Kerberos configurations might use the kcc utility in a non-malicious context. Establish a process to log and approve such activities to prevent false alarms.
 89- Security tools or monitoring solutions that interact with Kerberos tickets for legitimate purposes may inadvertently trigger the rule. Coordinate with security teams to ensure these tools are recognized and excluded from detection.
 90
 91### Response and remediation
 92
 93- Immediately isolate the affected macOS system from the network to prevent further unauthorized access or lateral movement.
 94- Terminate the suspicious process identified as 'kcc' with the argument 'copy_cred_cache' to stop any ongoing credential dumping activity.
 95- Conduct a thorough review of the system's Kerberos ticket cache to identify any unauthorized access or anomalies, and invalidate any compromised tickets.
 96- Reset passwords and regenerate Kerberos tickets for any accounts that may have been affected to prevent further unauthorized access.
 97- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine the scope of the breach.
 98- Implement additional monitoring on the affected system and similar endpoints to detect any recurrence of the credential dumping activity.
 99- Review and update access controls and Kerberos configurations to enhance security and reduce the risk of similar attacks in the future."""
100
101
102[[rule.threat]]
103framework = "MITRE ATT&CK"
104[[rule.threat.technique]]
105id = "T1003"
106name = "OS Credential Dumping"
107reference = "https://attack.mitre.org/techniques/T1003/"
108
109[[rule.threat.technique]]
110id = "T1558"
111name = "Steal or Forge Kerberos Tickets"
112reference = "https://attack.mitre.org/techniques/T1558/"
113[[rule.threat.technique.subtechnique]]
114id = "T1558.003"
115name = "Kerberoasting"
116reference = "https://attack.mitre.org/techniques/T1558/003/"
117
118
119
120[rule.threat.tactic]
121id = "TA0006"
122name = "Credential Access"
123reference = "https://attack.mitre.org/tactics/TA0006/"