Elevating Kerberos to the Next Level

The presentation discusses Kerberos attacks and their mitigations in an enterprise environment.

• Kerberos attacks can grant unauthorized access to local admin privileges
• Microsoft has fixed the issue but it can be re-enabled through configuration knobs
• Mitigations include disabling certain features, turning on Kerberos armoring, and using Enterprise file rules
• Detection can be done through security logs

The presenter demonstrates a silver ticket attack on Windows 11, which grants local admin privileges to a non-admin user

Kerberos is the primary authentication protocol for on-premise Windows enterprise networks. As it's so crucial for enterprise security a lot of research has focused on exploiting it for remote access and lateral movement such as the well known Golden/Silver ticket attacks. Comparatively, little research has been undertaken on the implications of Kerberos for security on the local machine, especially for privilege escalation.This presentation is a deep dive into the inner workings of Kerberos as it applies to local authentication and some of the unusual behaviors to be found within. We'll describe the security issues we've discovered, including authentication bypasses, sandbox escapes and arbitrary code execution in privileged processes. We'll be releasing tooling to inspect and manipulate the state of the Kerberos authentication protocol on the local system so that you can perform your own research. Finally, we'll provide configuration changes that can be used to mitigate some of the by-design security issues that have been presented.