Category: Threat Hunting
Level : Medium
Instructions:
- Please allow a few minutes for the service to start.
- Ensure that there are no blockers, such as Adblock extensions, that might prevent the lab from opening in a new tab or affect lab’s functionality.
Scenario:
As a diligent cyber threat hunter, your investigation begins with a hypothesis: ‘Recent trends suggest an upsurge in Kerberoasting attacks within the industry. Could your organization be a potential target for this attack technique?’ This hypothesis lays the foundation for your comprehensive investigation, starting with an in-depth analysis of the domain controller logs to detect and mitigate any potential threats to the security landscape.
Note: Your Domain Controller is configured to audit Kerberos Service Ticket Operations, which is necessary to investigate kerberoasting attacks. Additionally, Sysmon is installed for enhanced monitoring.
You can use Elastic or Splunk SIEM to solve this challenge, for me i will using Splunk.
Q1-To mitigate Kerberoasting attacks effectively, we need to strengthen the encryption Kerberos protocol uses. What encryption type is currently in use within the network?
- Now Lets go to our Splunk sever
- now using this query:
index="kerberoasted" "winlog.event_id"=4769
| table "winlog.event_data.TicketEncryptionType"
| dedup "winlog.event_data.TicketEncryptionType"Here’s a breakdown of the Splunk query :
- Search for Events in the
kerberoastedIndex: The query specifies searching within thekerberoastedindex. - Filter for Specific Event IDs: It filters the results to include only events with the Windows Event ID 4769, which relates to Kerberos Ticket Granting Service (TGS) requests.
- Select Specific Fields to Display: The
tablecommand displays thewinlog.event_data.TicketEncryptionTypefield, showing the encryption types used for the tickets. - Remove Duplicate Entries: The
dedupcommand ensures that only unique values forwinlog.event_data.TicketEncryptionTypeare shown, eliminating duplicate entries.
- so i got encryption type “0x17” , now use google or ChatGPT to git the answer :
The answer : RC4-HMACQ2-What is the username of the account that sequentially requested Ticket Granting Service (TGS) for two distinct application services within a short timeframe?
- We want to find usernames of accounts that have requested TGS tickets for two different services in a short time period.
- so i used this query:
index="kerberoasted" "winlog.event_id"=4769
| table winlog.event_data.ServiceName winlog.event_data.TargetUserName @timestamp
| dedup winlog.event_data.ServiceName winlog.event_data.TargetUserName
| sort -_timeHere’s a breakdown of the Splunk query :
- Search for Events in the
kerberoastedIndex: The query starts by specifying thekerberoastedindex. - Filter for Specific Event IDs: It filters the results to include only events with Windows Event ID 4769, which are related to Kerberos Ticket Granting Service (TGS) requests.
- Select Specific Fields to Display: The
tablecommand creates a table with the fieldswinlog.event_data.ServiceName,winlog.event_data.TargetUserName, and@timestamp. This displays the service name, target username, and timestamp of each event. - Remove Duplicate Entries: The
dedupcommand ensures that only unique combinations ofwinlog.event_data.ServiceNameandwinlog.event_data.TargetUserNameare shown, removing any duplicate entries. - Sort by Time: The
sort -_timecommand sorts the results in descending order based on the timestamp, so the most recent events appear first.
- As you can see the user johndoe requested Ticket Granting Service (TGS) for two services at the same time.
The answer : johndoeQ3-We must delve deeper into the logs to pinpoint any compromised service accounts for a comprehensive investigation into potential successful kerberoasting attack attempts. Can you provide the account name of the compromised service account?
- now use this query to list all service accounts :
index="kerberoasted" "winlog.event_id"=4769
| table winlog.event_data.ServiceName
| stats count by winlog.event_data.ServiceName
The results you’ve found after using the above query show the following:
- DC01$: This is likely your domain controller(This is expected since domain controllers handle a lot of Kerberos ticket requests).
- krbtgt: This is the Kerberos Ticket Granting Ticket account(The krbtgt account is responsible for issuing tickets, so some level of activity is expected).
- SALESPC$, MARKETINGPC$: These are likely computer accounts(It’s unusual for a computer account to be involved in requesting many service tickets unless it’s a member server or application server).
- SQLService, FileShareService: These are service accounts(These accounts are typically targeted during Kerberoasting because they often have elevated privileges).
- so lets use this query to investigates about (SALESPC$, MARKETINGPC$) :
index="kerberoasted" "winlog.event_id"=4769 "winlog.event_data.ServiceName"="MARKETINGPC$"
| table winlog.event_data.IpAddress winlog.event_data.TargetUserName
- as you can see there is a single ip requesting TGS , so lets investigate it.
index="kerberoasted" "winlog.event_id"=4769 "winlog.event_data.IpAddress"="::ffff:10.0.0.154"
| table winlog.event_data.ServiceName
| stats count by winlog.event_data.ServiceName
The answer : SQLServiceQ4-To track the attacker’s entry point, we need to identify the machine initially compromised by the attacker. What is the machine’s IP address?
- After we Known the account name of the compromised service account I used this query to get IP address of the machine :
index="kerberoasted" "winlog.event_id"=4769 "winlog.event_data.ServiceName"=SQLService "winlog.event_data.TargetUserName"="johndoe@CYBERCACTUS.LOCAL"Here’s a breakdown of the Splunk query :
- Search for Events in the
kerberoastedIndex: The query specifies thekerberoastedindex for searching. - Filter for Specific Event IDs: It filters the results to include only events with Windows Event ID 4769, related to Kerberos Ticket Granting Service (TGS) requests.
- Filter for Specific Service Name: It further filters to include only events where
winlog.event_data.ServiceNameis equal toSQLService. - Filter for Specific Target Username: The query also includes only events where
winlog.event_data.TargetUserNameis equal tojohndoe@CYBERCACTUS.LOCAL. - Display Specific Field: The
tablecommand is used to create a table displaying thewinlog.event_data.IpAddressfield, which shows the IP address associated with the TGS request.
The answer : 10.0.0.154Q5-To understand the attacker’s actions following the login with the compromised service account, can you specify the service name installed on the Domain Controller (DC)?
- Event ID 7045 — “A service was installed in the system.”
- Description: This event is logged when a new service is installed on the system. It provides information about the service name, the executable path, and the service configuration.
- so i used this query:
index="kerberoasted" "winlog.event_id"=7045
| table winlog.event_data.ServiceName
| sort -_time Here’s a breakdown of the Splunk query :
- Search for Events in the
kerberoastedIndex: The query specifies thekerberoastedindex for searching. - Filter for Specific Event IDs: It filters the results to include only events with Windows Event ID 7045, which indicates the creation of a new service on the system.
- Display Specific Field: The
tablecommand creates a table showing thewinlog.event_data.ServiceNamefield, which represents the name of the newly created service. - Sort by Time: The
sort -_timecommand sorts the results in descending order based on the timestamp, so the most recent service creation events appear first.
The answer : iOOEDsXjWeGRAyGlQ6-To grasp the extent of the attacker’s intentions, What’s the complete registry key path where the attacker modified the value to enable Remote Desktop Protocol (RDP)?
- First i filtered with all With all Event IDs related to RDP but found nothing 😶😑
- So i used google to find this key :
- so i used this query:
index="kerberoasted" "terminal server"
| table winlog.event_data.TargetObject- Search Index:
kerberoasted - This specifies that the search is to be conducted within the
kerberoastedindex, which contains logs related to Kerberoasting activities. - Search Term:
"terminal server" - This searches for logs that contain the phrase “terminal server”. This could be related to services or events involving terminal servers.
- Data Extraction Field:
winlog.event_data.TargetObject - This extracts and formats the
TargetObjectfield from thewinlog.event_data. TheTargetObjectfield typically represents the specific object or service targeted in the log event.
The answer : HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnectionsQ7-To create a comprehensive timeline of the attack, what is the UTC timestamp of the first recorded Remote Desktop Protocol (RDP) login event?
- Just Filter about Event ID 4624 and logon type 10 .
- Event ID 4624: Successful logon.
- Logon Type 10: Remote Interactive Logon (typically via RDP).
index="kerberoasted" "winlog.event_id"=4624 "winlog.event_data.LogonType"=10
| table @timestamp
The answer : 16-10-2023 07:50:29Q8-To unravel the persistence mechanism employed by the attacker, What is the name of the WMI event consumer responsible for maintaining persistence?
- Really this question take me about 40 minutes, but it’s very easy one 😐
- First i used this query to get any thing related with WMI :
index="kerberoasted" WMI*- i got some hits in winlog.event_data.EventType field , so lets update our query :
index="kerberoasted" WMI* "winlog.event_data.EventType"=WmiConsumerEvent
| table winlog.event_data.Name
The answer : updaterQ9-Which class does the WMI event subscription filter target in the WMI Event Subscription you’ve identified?
- again i used the same query, and got some hits in winlog.event_data.Name :
index="kerberoasted" WMI*
- lets update our query :
index="kerberoasted" WMI* "winlog.event_data.EventType"=WmiFilterEvent- and i got it 👌 :
The answer : Win32_NTLogEventTHE END
BY Ahmed Nasser
Follow for more 🤘🤙
