The following actions can be taken to prevent Kekeo infection:
Patching and updating: Keep the Active Directory environment updated, including domain controllers and associated systems, by regularly applying the latest security patches issued by Microsoft. These updates address known vulnerabilities within the Kerberos protocol and its related components.
Strong password policies: Enforce robust password policies throughout the Active Directory domain. This entails mandating the use of complex passwords with a minimum length, periodic password changes, and avoiding common or easily guessable passwords. Implement stringent password complexity requirements and account lockout policies to deter brute-force attacks.
Service account management: Exercise consistent vigilance by routinely reviewing and overseeing service accounts within Active Directory. Ensure these accounts employ robust and unique passwords. Avoid the use of privileged domain accounts for non-administrative functions. Consider the adoption of managed service accounts or group-managed service accounts, which automate password changes and reduce the vulnerability of password compromise.
Privilege management: Adhere to the principle of least privilege when assigning permissions and privileges to user accounts within Active Directory. Constrict administrative privileges exclusively to individuals who need such privileges for their roles. Regularly assess and retract unnecessary privileges to diminish the potential repercussions of compromised accounts. Vigilantly monitor unexpected lockouts or any suspicious activities linked to privileged or high-value user accounts.
Implementing credential guard: Contemplate the activation of Microsoft's Credential Guard feature on domain-joined Windows 10 or Windows Server 2016 and later systems. Credential Guard installs a protective barrier around Kerberos tickets and credentials, rendering it substantially more challenging for attackers to illicitly access them.
Monitoring for kerberoasting activity: Institute network monitoring and intrusion detection systems (IDS) to identify potential Kerberoasting attempts. Keep a watchful eye for unusual or suspicious requests for Kerberos tickets and scrutinize event logs for Kerberos-related events. Promptly generate alerts for suspected Kerberoasting attacks and conduct thorough investigations.
Implementing fine-grained password policies: Employ fine-grained password policies within Active Directory to establish distinct password criteria for service accounts or accounts vulnerable to Kerberoasting attacks. This affords the capability to impose more stringent password policies tailored to high-risk accounts.
Reducing exposure of Kerberos service accounts: To enhance security, reduce the number of domain accounts with the necessary privileges for Kerberoasting. Keep access to sensitive accounts to a minimum and regularly review their usage and permissions. Isolate service accounts by using separate administrative accounts for each service.
Account monitoring and auditing: Enable the auditing of Kerberos-related events within Active Directory to meticulously track authentication activities. Implement centralized logging and routinely analyze logs for indications of compromised accounts or aberrant authentication behavior. Scrutinize Windows event logs for pertinent events concerning Kerberos authentication, ticket requests, or suspicious activities. Evaluate the use of security information and event management (SIEM) solutions for streamlined log analysis and correlation.
User education and awareness: Foster a culture of security awareness by educating both users and administrators regarding the perils associated with phishing attacks and the criticality of robust password practices. Educate them to discern and promptly report suspicious emails or phishing endeavors. Instill a sense of security consciousness and urge users to adopt sound security habits.
Guidance for end users
Take these steps to help prevent malware infection on your computer.
Guidance for enterprise administrators
Malware more than often attacks enterprises than individuals. Following the below mitigation steps can help prevent malware attacks (use this for enterprise consumer):
- Keep backups so you can recover data affected by malware and destructive attacks. Use controlled folder access to prevent unauthorized applications from modifying protected files.
- Harden internet-facing assets and ensure they have the latest security updates. Use threat and vulnerability management to audit these assets regularly for vulnerabilities, misconfigurations, and suspicious activity.
- Secure Remote Desktop Gateway using solutions like Azure Multi-Factor Authentication (MFA). If you don’t have an MFA gateway, enable network-level authentication (NLA).
- Monitor for brute-force attempts. Check excessive failed authentication attempts (Windows security event ID 4625).
- Turn on cloud-delivered protection and automatic sample submission on Microsoft Defender Antivirus. These capabilities use artificial intelligence and machine learning to quickly identify and stop new and unknown threats.
- Turn on attack surface reduction rules, including rules that block credential theft, ransomware activity, and suspicious use of PsExec and WMI. To address malicious activity initiated through weaponized Office documents, use rules that block advanced macro activity, executable content, process creation, and process injection initiated by Office applications. To assess the impact of these rules, deploy them in audit mode.
- Utilize the Windows Defender Firewall and your network firewall to prevent RPC and SMB communication among endpoints whenever possible. This limits lateral movement as well as other attack activities.
- Turn on tamper protection features to prevent attackers from stopping security services.
