Potential Kerberos Attack via Bifrost

Last updated 3 months ago on 2025-03-18

Created 5 years ago on 2020-01-12

About

Identifies use of Bifrost, a known macOS Kerberos pentesting tool, which can be used to dump cached Kerberos tickets or attempt unauthorized authentication techniques such as pass-the-ticket/hash and kerberoasting.

Tags

Domain: EndpointOS: macOSUse Case: Threat DetectionTactic: Credential AccessTactic: Lateral MovementData Source: Elastic DefendLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Lateral Movement (TA0008)(opens in a new tab or window)

↳ Use Alternate Authentication Material (T1550)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

↳ Steal or Forge Kerberos Tickets (T1558)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.*
Related Integrations: endpoint(opens in a new tab or window)
Query

process where host.os.type == "macos" and event.type in ("start", "process_started") and
 process.args like~ "-action" and (process.args like~ ("-kerberoast", "askhash", "asktgs", "asktgt", "s4u") or process.args like~ ("-ticket", "ptt") or process.args like~ "dump") and process.args like~ ("tickets", "keytab")

Install detection rules in Elastic Security

Detect Potential Kerberos Attack via Bifrost in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).