Forged PAC

How to detect, mitigate, and respond to Forged PAC attacks

Forged PAC is a privilege escalation method that allows an attacker to be able to forge the Privilege Account Certificate (PAC) in a Kerberos ticket to gain access to resources they didn’t previously have before.

Request a Free Trial

Powered by ChronoForms - ChronoEngine.com

STEALTHbits’ Forged PAC Solution

STEALTHbits’ products provide a multitude of ways to detect, mitigate, and respond to a Forged PAC attack.

Detect Forged PAC Attack

Detection is possible using the Golden Ticket approach with Forged PAC information in the Kerberos TGT.

APPROACH #1

Kerberos TGT Contains Specific Groups

DESCRIPTION

Monitor for specific RID’s appearing in Kerberos PAC data that shouldn’t be there. By default, this only monitors the following groups:

  • Domain Admins (512)
  • Enterprise Admins (519)
  • Schema Admins (518)

PRODUCT: StealthINTERCEPT

APPROACH #2

Kerberos TGT Containing Groups of which the Account is not a Member

DESCRIPTION

Monitors group membership for accounts, as well as considers the Kerberos Ticket Lifetime, which drastically reduces false positives while allowing detection of all Forged PAC data.

This threat can be modified to only look at specific groups or all groups depending on customer requirements.

PRODUCT: StealthDEFEND

Mitigate Forged PAC Attack

APPROACH #1

Reduce Domain Administrative Rights

DESCRIPTION

Review membership of privileged domain groups (e.g. Domain Admins, Enterprise Admins, Server Operators) and remove unnecessary members. These groups provide rights to access domain controllers.

PRODUCT: StealthAUDIT

APPROACH #2

DC Logon Groups

DESCRIPTION

Perform reviews of all domain groups which provide logon rights to domain controllers (e.g. Domain Admins, Server Operators) as the members of these groups can gain access to the Ntds.dit file which resides on the file system of the domain controller. Perform regular reviews and remove unnecessary members.

PRODUCT: StealthAUDIT

APPROACH #3

Secure Active Directory Permissions

DESCRIPTION

Review the following Active Directory permission applied at the domain level:

  • Replicating Directory Changes
  • Replicating Directory Changes All

These rights provide attackers the ability to obtain the KRBTGT hash using the DCSync technique. Remove any unnecessary permissions.

PRODUCT: StealthAUDIT Active Directory Permissions Analyzer

APPROACH #4

Service Ticket Request with Weak Encryption

DESCRIPTION

Monitor for Kerberos ticket requests using weak encryption (RC4_HMAC_MD5). These tickets are obtained when requesting Kerberos tickets for a particular service principal name (SPN), and are returned encrypted with the password of the service account tied to that SPN.

PRODUCT: StealthDEFEND / StealthINTERCEPT

Download our complete attack-to-product mapping guide.

Download

Respond to Forged PAC Attack

APPROACH #1

Purge Kerberos Tickets on Source and Target Machine

DESCRIPTION

Due to the ability of Forged Kerberos Tickets being able to have random usernames and passwords, it is not advisable to disable user accounts. To instead get rid of their access, a Kerberos Ticket Purge on both the source and the target machine should be done in case the target was compromised.

PRODUCT: StealthDEFEND

APPROACH #2

Disable Source Computer

DESCRIPTION

Disable the source computer that the Forged PAC originated from so it cannot authenticate more accounts and should be distrusted from the Domain/Forest.

PRODUCT: StealthDEFEND

APPROACH #3

Disable All Accounts which Authenticated to Source Computer in the Last X Hours

DESCRIPTION

Customers may choose to look at all authentications against the source machine for the last X hours, where X is the Kerberos Ticket Lifetime, and then disable all the accounts which have authenticated to it until the investigation of the Forged PAC has been resolved.

PRODUCT: StealthDEFEND

Seeing is believing.

Request a Demo

Resources

StealthDEFEND for Active Directory

Data Sheet

Learn More

StealthAUDIT for Active Directory

Data Sheet

Learn More

StealthINTERCEPT Enterprise Password Enforcer

Data Sheet

Learn More

Free Risk Analysis STEALTHbits' Credentials and Data Security Assessment is your Business-Justification-in-a-Box!x