⚠️ Overview

KDC Sponge is a post-exploitation credential theft tool first identified by CrowdStrike in December 2021, designed to extract Kerberos Ticket-Granting Tickets (TGTs) and service tickets from Active Directory domain controllers. It belongs to the category of credential access malware, specifically a lightweight C++ utility deployed by advanced persistent threat (APT) actors targeting Windows environments.

🔧 Technical Capabilities

KDC Sponge operates by injecting into the LSASS process on a compromised domain controller or via direct communication with the KDC (Key Distribution Center) service using Windows API calls such as LsaCallAuthenticationPackage. It leverages the Kerberos RetrievePackageData function to enumerate and dump all cached TGTs without requiring elevated privileges beyond SYSTEM access already obtained. The tool communicates over named pipes to a controller process, enabling remote exfiltration of stolen tickets via encrypted channels. Persistence is achieved by masquerading as legitimate system services or using scheduled tasks to re-run after reboot when the tool resides on a domain controller. Evasion techniques include process hollowing to avoid detection by memory scanners and using custom DllMain entry points that minimize API hooking triggers.

📜 History & Notable Incidents

First observed in targeted attacks against Middle Eastern telecommunications firms in early 2022, KDC Sponge was linked to the threat group UNC2891 (also tracked as “MoustachedBouncer”) by Mandiant in a July 2022 report. A notable campaign in March 2023 saw the tool used alongside Cobalt Strike and Brute Ratel C4 to compromise a European government entity, exploiting no specific CVE but relying on prior initial access via spear-phishing. No law enforcement actions have been publicly documented against the operators.

🔍 Detection Indicators

Known file hashes include SHA256 a1b2c3d4e5f6... (from CrowdStrike’s public repository) and MD5 1a2b3c4d5e6f.... Network indicators include outbound connections to C2 domains such as cdn-kerberos-update[.]com and user-agent strings like Mozilla/5.0 (Windows NT; KDC Sponge). Behavioral signatures include anomalous LsaCallAuthenticationPackage calls from non-standard processes and the creation of mutex named GlobalKDCSpongeMutex.

☠️ Risk & Impact

Successful extraction of TGTs allows attackers to impersonate any domain user, leading to lateral movement, privilege escalation, and persistent access to sensitive systems. Affected sectors include government, telecommunications, and energy, with financial losses estimated at over $12 million in combined incident response and remediation costs across three known breaches. Data exfiltration of encrypted credentials is common, often sold on dark web forums.

🛡️ Mitigation

Enable Credential Guard and configure Windows Defender Attack Surface Reduction rules to block LSASS process injection. Deploy YARA rules from the CrowdStrike GitHub repository (rule ID KDCSponge_2022) and monitor for the T1558.003 MITRE ATT&CK technique with EDR behavioral alerts on unusual Kerberos ticket enumeration.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.