Potential Kerberos Attack via Bifrost

  1[metadata]
  2creation_date = "2020/01/12"
  3integration = ["endpoint"]
  4maturity = "production"
  5updated_date = "2025/01/15"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or
 11attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.
 12"""
 13from = "now-9m"
 14index = ["logs-endpoint.events.*"]
 15language = "kuery"
 16license = "Elastic License v2"
 17name = "Potential Kerberos Attack via Bifrost"
 18references = ["https://github.com/its-a-feature/bifrost"]
 19risk_score = 73
 20rule_id = "16904215-2c95-4ac8-bf5c-12354e047192"
 21setup = """## Setup
 22
 23This rule requires data coming in from Elastic Defend.
 24
 25### Elastic Defend Integration Setup
 26Elastic Defend is integrated into the Elastic Agent using Fleet. Upon configuration, the integration allows the Elastic Agent to monitor events on your host and send data to the Elastic Security app.
 27
 28#### Prerequisite Requirements:
 29- Fleet is required for Elastic Defend.
 30- To configure Fleet Server refer to the [documentation](https://www.elastic.co/guide/en/fleet/current/fleet-server.html).
 31
 32#### The following steps should be executed in order to add the Elastic Defend integration on a macOS System:
 33- Go to the Kibana home page and click "Add integrations".
 34- In the query bar, search for "Elastic Defend" and select the integration to see more details about it.
 35- Click "Add Elastic Defend".
 36- Configure the integration name and optionally add a description.
 37- Select the type of environment you want to protect, for MacOS it is recommended to select "Traditional Endpoints".
 38- Select a configuration preset. Each preset comes with different default settings for Elastic Agent, you can further customize these later by configuring the Elastic Defend integration policy. [Helper guide](https://www.elastic.co/guide/en/security/current/configure-endpoint-integration-policy.html).
 39- We suggest selecting "Complete EDR (Endpoint Detection and Response)" as a configuration setting, that provides "All events; all preventions"
 40- Enter a name for the agent policy in "New agent policy name". If other agent policies already exist, you can click the "Existing hosts" tab and select an existing policy instead.
 41For more details on Elastic Agent configuration settings, refer to the [helper guide](https://www.elastic.co/guide/en/fleet/current/agent-policy.html).
 42- Click "Save and Continue".
 43- To complete the integration, select "Add Elastic Agent to your hosts" and continue to the next section to install the Elastic Agent on your hosts.
 44For more details on Elastic Defend refer to the [helper guide](https://www.elastic.co/guide/en/security/current/install-endpoint.html).
 45"""
 46severity = "high"
 47tags = [
 48    "Domain: Endpoint",
 49    "OS: macOS",
 50    "Use Case: Threat Detection",
 51    "Tactic: Credential Access",
 52    "Tactic: Lateral Movement",
 53    "Data Source: Elastic Defend",
 54    "Resources: Investigation Guide",
 55]
 56timestamp_override = "event.ingested"
 57type = "query"
 58
 59query = '''
 60event.category:process and host.os.type:macos and event.type:start and
 61 process.args:("-action" and ("-kerberoast" or askhash or asktgs or asktgt or s4u or ("-ticket" and ptt) or (dump and (tickets or keytab))))
 62'''
 63note = """## Triage and analysis
 64
 65> **Disclaimer**:
 66> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 67
 68### Investigating Potential Kerberos Attack via Bifrost
 69
 70Kerberos is a network authentication protocol designed to provide secure identity verification for users and services. Adversaries exploit tools like Bifrost on macOS to extract Kerberos tickets or perform unauthorized authentications, such as pass-the-ticket attacks. The detection rule identifies suspicious process activities linked to Bifrost's known attack methods, focusing on specific command-line arguments indicative of credential access and lateral movement attempts.
 71
 72### Possible investigation steps
 73
 74- Review the process start event details to identify the specific command-line arguments used, focusing on those that match the suspicious patterns such as "-action", "-kerberoast", "askhash", "asktgs", "asktgt", "s4u", "-ticket ptt", or "dump tickets/keytab".
 75- Correlate the process execution with user activity logs to determine if the process was initiated by a legitimate user or an unauthorized account.
 76- Check for any recent changes in user permissions or group memberships that could indicate privilege escalation attempts.
 77- Investigate the source and destination of any network connections made by the process to identify potential lateral movement or data exfiltration.
 78- Analyze historical data for similar process executions or patterns to assess if this is an isolated incident or part of a broader attack campaign.
 79- Review endpoint security logs for any additional indicators of compromise or related suspicious activities around the time of the alert.
 80
 81### False positive analysis
 82
 83- Legitimate administrative tasks on macOS systems may trigger the rule if they involve Kerberos ticket management. To handle this, identify and document routine administrative processes that use similar command-line arguments and create exceptions for these specific activities.
 84- Security tools or scripts designed for Kerberos ticket management or testing may mimic Bifrost's behavior. Review and whitelist these tools if they are part of authorized security assessments or IT operations.
 85- Automated system processes that interact with Kerberos for legitimate authentication purposes might be flagged. Monitor these processes and exclude them from the rule if they are verified as non-threatening and essential for system operations.
 86- Developers or IT personnel testing Kerberos configurations in a controlled environment could inadvertently trigger the rule. Ensure that such environments are well-documented and excluded from monitoring to prevent false positives.
 87
 88### Response and remediation
 89
 90- Immediately isolate the affected macOS host from the network to prevent further unauthorized access or lateral movement.
 91- Terminate any suspicious processes identified by the detection rule, particularly those involving Bifrost command-line arguments.
 92- Conduct a thorough review of Kerberos ticket logs and authentication attempts to identify any unauthorized access or anomalies.
 93- Revoke and reissue Kerberos tickets for affected users and services to ensure no compromised tickets are in use.
 94- Update and patch the macOS system and any related software to mitigate vulnerabilities that may have been exploited.
 95- Implement enhanced monitoring for Kerberos-related activities, focusing on unusual patterns or command-line arguments similar to those used by Bifrost.
 96- Escalate the incident to the security operations center (SOC) or incident response team for further investigation and to determine if additional systems are compromised."""
 97
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101[[rule.threat.technique]]
102id = "T1550"
103name = "Use Alternate Authentication Material"
104reference = "https://attack.mitre.org/techniques/T1550/"
105[[rule.threat.technique.subtechnique]]
106id = "T1550.003"
107name = "Pass the Ticket"
108reference = "https://attack.mitre.org/techniques/T1550/003/"
109
110
111
112[rule.threat.tactic]
113id = "TA0008"
114name = "Lateral Movement"
115reference = "https://attack.mitre.org/tactics/TA0008/"
116[[rule.threat]]
117framework = "MITRE ATT&CK"
118[[rule.threat.technique]]
119id = "T1558"
120name = "Steal or Forge Kerberos Tickets"
121reference = "https://attack.mitre.org/techniques/T1558/"
122[[rule.threat.technique.subtechnique]]
123id = "T1558.003"
124name = "Kerberoasting"
125reference = "https://attack.mitre.org/techniques/T1558/003/"
126
127
128
129[rule.threat.tactic]
130id = "TA0006"
131name = "Credential Access"
132reference = "https://attack.mitre.org/tactics/TA0006/"