image

What to expect

Examine artifacts and logs from a Domain Controller, as well as endpoint artifacts from where Kerberoast attack activity originated. We will explore what to look for to properly identify Kerberoasting attack activity and how to avoid false positives given the complexity of Active Directory.

Evidence provided

  1. Security Logs from Domain Controller
  2. PowerShell-Operational Logs from the affected workstation
  3. Prefetech Files from the affected workstation

Technical Analysis

Task 1

Analyzing Domain Controller Security Logs, can you confirm the date & time when the kerberoasting activity occurred?
R = 2024-05-21 03:18:09

After refreshing the topic of keberoasting using the following resources: one, two; I went on the hunt.

This techniques involves the request of Ticket Granting Service tickets, as it that ticket iself is encrypted using the user’s secret, which once cracked can expose the secret of the requested service. Performing Kerberoasting involves in looking for SPNs that support the RC4 encryption algorithm, as it is susceptible to password cracking tools. After knowing this, it’s implicit that we start filter in the evtx file by ID 4769 - I am using “Event Log Explorer”. image

As I mentioned, when performing Kerberoasting, SPN’s that support RC4 are looked for. How does this reflects in the WinEvent Log?

Looking at the event documentation, we have to look for the value of the field Ticket Encryption Type being 0x17, from the short research I’ve done 0x18 is never mentioned, but it would be worth still looking for it as well.

image

Once I went through the logs, there is only one log matching the encryption type, we can notice that the Service Name to which it requested access to is MSSQLService, thus, it’s intent is to move laterally (e.g into other systems) or even horizontally (e.g account has higher privileges within the domain) using the MSSQLService account.

Consider that the time chooses to show you the logs is your local time, make sure to add or substract the pertinent hours.

image

Task 2

What is the Service Name that was targeted?
R= MSSQLService

From the last log shown in Task 1, kerberos ticket was requested in order to access MSSQLService.

Task 3

It is really important to identify the Workstation from which this activity occurred. What is the IP Address of the workstation?
R= 172.17.79.129

image

Task 4

Now that we have identified the workstation, a triage including PowerShell logs and Prefetch files are provided to you for some deeper insights so we can understand how this activity occurred on the endpoint. What is the name of the file used to Enumerate Active directory objects and possibly find Kerberoastable accounts in the network?
R= powerview.ps1

Almost all of the powershell logs indicate usage of powerview, which can be used to perform AD enum and possible kerberoastable accounts. image

Task 5

When was this script executed?
R=2024-05-21 03:16:32

Going through the logs, we notice that the first attempt of execution was failed, due to the Execution Policy set at that moment. image

Afterwards, the ExecutionPolicy was set to bypass, in order to allow execution of third party scripts image

Then, we can appreciate the 4104 event “Execute a Remote Command”. Which gives enough evidence to confirm that powerview.ps1 was executed correctly.

image

Task 6

What is the full path of the tool used to perform the actual kerberoasting attack?
R=C:\Users\Alonzo.spire\Downloads\Rubeus.exe

Using Eric Zimmerman PECmd in order to analyze the prefetch files, we were able to find the file executed at the time of the kerberoasting activity detected in the Domain Controller WinEventLog file, which is another known tool widely used to perform kerberoasting. image

Task 7

When was the tool executed to dump credentials?
R=2024-05-21 03:18:08

Looking at the RunTime column of the detected RUBEUS.EXE file, it was run on 2024-05-21 03:18:08 image