creator/Anthropic-Cybersecurity-Skills
1
0
Fork 0
mirror of https://github.com/mukul975/Anthropic-Cybersecurity-Skills.git synced 2026-06-14 15:04:56 +03:00
Code Issues Packages Projects Releases Wiki Activity
Files
d5f3fa32486ea335db802d68fe2147fa2da69583
Anthropic-Cybersecurity-Skills/skills/performing-kerberoasting-attack/SKILL.md
T
mukul975 efca3ec611 feat: add NIST CSF 2.0 nist_csf field to all 754 cybersecurity skills 
Mapped every skill to NIST CSF 2.0 subcategory IDs (GV/ID/PR/DE/RS/RC functions)
based on subdomain and content analysis. Restores 11 skills corrupted during
prior rebase, re-enriching with ATLAS, D3FEND, NIST AI RMF, and CSF 2.0 fields.

All 754 skills now carry structured mappings for all 5 security frameworks:
- MITRE ATT&CK (in tags)
- MITRE ATLAS v5.5 (atlas_techniques)
- MITRE D3FEND v1.3 (d3fend_techniques)
- NIST AI RMF 1.0 (nist_ai_rmf)
- NIST CSF 2.0 (nist_csf)
2026-04-06 11:17:40 +02:00

4.1 KiB
Raw Blame History

name, description, domain, subdomain, tags, version, author, license, d3fend_techniques, nist_csf
name description domain subdomain tags version author license d3fend_techniques nist_csf
performing-kerberoasting-attack Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names cybersecurity red-teaming
red-team
adversary-simulation
mitre-attack
exploitation
post-exploitation
kerberoasting
active-directory
credential-access
1.0 mahipal Apache-2.0
Application Protocol Command Analysis
Network Isolation
Network Traffic Analysis
Client-server Payload Profiling
Network Traffic Community Deviation
ID.RA-01
GV.OV-02
DE.AE-07

Performing Kerberoasting Attack

Legal Notice: This skill is for authorized security testing and educational purposes only. Unauthorized use against systems you do not own or have written permission to test is illegal and may violate computer fraud laws.

Overview

Kerberoasting is a post-exploitation technique that targets service accounts in Active Directory by requesting Kerberos TGS (Ticket Granting Service) tickets for accounts with Service Principal Names (SPNs) set. These tickets are encrypted with the service account's NTLM hash, allowing offline brute-force cracking without generating failed login events. It is one of the most common privilege escalation paths in AD environments because any domain user can request TGS tickets.

When to Use

  • When conducting security assessments that involve performing kerberoasting attack
  • When following incident response procedures for related security events
  • When performing scheduled security testing or auditing activities
  • When validating security controls through hands-on testing

Prerequisites

  • Familiarity with red teaming concepts and tools
  • Access to a test or lab environment for safe execution
  • Python 3.8+ with required dependencies installed
  • Appropriate authorization for any testing activities

MITRE ATT&CK Mapping

  • T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • T1087.002 - Account Discovery: Domain Account
  • T1069.002 - Permission Groups Discovery: Domain Groups

Workflow

Phase 1: SPN Enumeration

  1. Enumerate accounts with SPNs using LDAP queries
  2. Filter for user accounts (not computer accounts)
  3. Identify accounts with elevated privileges (adminCount=1)
  4. Prioritize accounts with weak password policies

Phase 2: TGS Ticket Request

  1. Request TGS tickets for identified SPN accounts
  2. Extract ticket data in crackable format (hashcat/john compatible)
  3. Ensure RC4 encryption is requested when possible (easier to crack)
  4. Document all requested tickets

Phase 3: Offline Cracking

  1. Use hashcat mode 13100 (Kerberos 5 TGS-REP etype 23) for RC4 tickets
  2. Use hashcat mode 19700 (Kerberos 5 TGS-REP etype 17) for AES-128
  3. Use hashcat mode 19800 (Kerberos 5 TGS-REP etype 18) for AES-256
  4. Apply targeted wordlists and rules based on password policy

Phase 4: Credential Validation

  1. Validate cracked credentials against domain
  2. Assess access level of compromised accounts
  3. Map accounts to BloodHound attack paths
  4. Document for engagement report

Tools and Resources

Tool Purpose Platform
Rubeus Kerberoasting and ticket manipulation Windows (.NET)
Impacket GetUserSPNs.py Remote Kerberoasting Linux/Python
PowerView SPN enumeration Windows (PowerShell)
hashcat Offline password cracking Cross-platform
John the Ripper Offline password cracking Cross-platform

Detection Indicators

  • Event ID 4769: Kerberos Service Ticket Request with RC4 encryption (0x17)
  • Anomalous TGS requests from a single account in short timeframe
  • TGS requests for services the user normally does not access
  • Honeypot SPN accounts with alerting on ticket requests

Validation Criteria

  • SPN accounts enumerated and documented
  • TGS tickets extracted in crackable format
  • Offline cracking attempted with appropriate wordlists
  • Cracked credentials validated
  • Access level of compromised accounts assessed
Reference in New Issue View Git Blame Copy Permalink