[Acquire known Kerberos credentials] The adversary must obtain known Kerberos credentials in order to access the target system, application, or service within the domain.
[Attempt Kerberos authentication] Try each Kerberos credential against various resources within the domain until the target grants access.
[Impersonate] An adversary can use successful experiments or authentications to impersonate an authorized user or system, or to laterally move within the domain
[Spoofing] Malicious data can be injected into the target system or into other systems on the domain. The adversary can also pose as a legitimate domain user to perform social engineering attacks.
[Data Exfiltration] The adversary can obtain sensitive data contained within domain systems or applications.
Weakness Name | |
---|---|
Insufficiently Protected Credentials The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval. |
|
Improper Restriction of Excessive Authentication Attempts The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks. |
|
Use of Single-factor Authentication The use of single-factor authentication can lead to unnecessary risk of compromise when compared with the benefits of a dual-factor authentication scheme. |
|
Use of Password System for Primary Authentication The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism. |
|
Not Using Password Aging The product does not have a mechanism in place for managing password aging. |
|
Password Aging with Long Expiration The product supports password aging, but the expiration period is too long. |
|
Reliance on a Single Factor in a Security Decision A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make a decision about granting access to restricted resources or functionality. |
|
Authentication Bypass by Capture-replay A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes). |
|
Use of Password Hash Instead of Password for Authentication The product records password hashes in a data store, receives a hash of a password from a client, and compares the supplied hash to the hash obtained from the data store. |
Name | Organization | Date | Date Release |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation |
Name | Organization | Date | Comment |
---|---|---|---|
CAPEC Content Team | The MITRE Corporation | Updated Description, Notes, Related_Attack_Patterns | |
CAPEC Content Team | The MITRE Corporation | Updated Description, Extended_Description | |
CAPEC Content Team | The MITRE Corporation | Updated Extended_Description, Prerequisites |