Overview
Bronze Bit refers to exploitation activity surrounding CVE-2020-17049, a Kerberos KDC spoofing vulnerability affecting Microsoft Windows. Exploitation allows attackers to forge PAC (Privilege Attribute Certificate) signatures, enabling privilege escalation and impersonation across domain environments.
Technical Details
CVE-2020-17049 involves weaknesses in Kerberos' handling of ticket validation and KDC signatures. If PAC signature verification is bypassed or forged, an attacker can impersonate any user, including domain administrators. Microsoft released a phased mitigation approach that includes updates requiring KDC enforcement and PAC signature validation.
MITRE ATT&CK Mapping
- T1550.003 – Use Alternate Authentication Material: Kerberos Tickets
- T1558.001 – Steal or Forge Kerberos Tickets: Golden Ticket
- T1558.003 – Steal or Forge Kerberos Tickets: Kerberoasting
- T1098 – Account Manipulation
- T1134 – Access Token Manipulation
View this mapping using official
MITRE ATT&CK Navigator
Exploitation & Detection
- Exploit code may attempt to forge or inject Kerberos PAC signatures
- Detect abnormal Kerberos ticket activity using SIEM (e.g., KRB_TGS with odd SIDs or timestamps)
- Use Windows event IDs 4769, 4770, 4624 to monitor ticket creation and authentication anomalies
- Apply all patches and enable KDC Enforcement Modes (Audit → Full Enforcement)
References
