File size: 4,349 Bytes
5fe70fd |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 |
{
"id": "bundle--f830457a-ca39-47ff-8de3-2ebc4f7ea308",
"objects": [
{
"created": "2018-07-31T00:00:00.000Z",
"created_by_ref": "identity--e50ab59c-5c4f-4d40-bf6a-d58418d89bcd",
"description": "An adversary uses stolen Kerberos tickets to access systems/resources that leverage the Kerberos authentication protocol. The Kerberos authentication protocol centers around a ticketing system which is used to request/grant access to services and to then access the requested services. An adversary can obtain any one of these tickets (e.g. Service Ticket, Ticket Granting Ticket, Silver Ticket, or Golden Ticket) to authenticate to a system/resource without needing the account's credentials. Depending on the ticket obtained, the adversary may be able to access a particular resource or generate TGTs for any account within an Active Directory Domain.",
"external_references": [
{
"external_id": "CAPEC-645",
"source_name": "capec",
"url": "https://capec.mitre.org/data/definitions/645.html"
},
{
"external_id": "CWE-522",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/522.html"
},
{
"external_id": "CWE-294",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/294.html"
},
{
"external_id": "CWE-308",
"source_name": "cwe",
"url": "http://cwe.mitre.org/data/definitions/308.html"
},
{
"description": "Use Alternate Authentication Material:Pass The Ticket",
"external_id": "T1550.003",
"source_name": "ATTACK",
"url": "https://attack.mitre.org/wiki/Technique/T1550/003"
},
{
"description": "BRONZE BUTLER Targets Japanese Enterprises, 2017--10---12, Secureworks® Counter Threat Unit™ Threat Intelligence",
"external_id": "REF-584",
"source_name": "reference_from_CAPEC",
"url": "https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses"
}
],
"id": "attack-pattern--05740120-81ef-4224-9805-2f0b54d1111f",
"modified": "2020-07-30T00:00:00.000Z",
"name": "Use of Captured Tickets (Pass The Ticket)",
"object_marking_refs": [
"marking-definition--17d82bb2-eeeb-4898-bda5-3ddbcd2b799d"
],
"spec_version": "2.1",
"type": "attack-pattern",
"x_capec_abstraction": "Detailed",
"x_capec_can_precede_refs": [
"attack-pattern--22802ed6-ddc6-4da7-b6be-60b10d26198b"
],
"x_capec_child_of_refs": [
"attack-pattern--755bb5ac-2eee-4e54-9864-92812666120c"
],
"x_capec_consequences": {
"Integrity": [
"Gain Privileges"
]
},
"x_capec_domains": [
"Software"
],
"x_capec_example_instances": [
"Bronze Butler (also known as Tick), has been shown to leverage forged Kerberos Ticket Granting Tickets (TGTs) and Ticket Granting Service (TGS) tickets to maintain administrative access on a number of systems. [REF-584]"
],
"x_capec_likelihood_of_attack": "Low",
"x_capec_prerequisites": [
"The adversary needs physical access to the victim system.",
"The use of a third-party credential harvesting tool."
],
"x_capec_skills_required": {
"High": "The adversary uses a third-party tool to obtain the necessary tickets to execute the attack.",
"Low": "Determine if Kerberos authentication is used on the server."
},
"x_capec_status": "Stable",
"x_capec_typical_severity": "High",
"x_capec_version": "3.9"
}
],
"type": "bundle"
} |