Kerberoasted Lab

During the Kerberos authentication process, several security-related events are generated in the Windows Event Log when a user connects to an MSSQL server:

• Event ID 4768 (Kerberos TGT Request): Occurs when the client workstation requests a TGT from the KDC, generating this event in the Security log on the domain controller.

• Event ID 4769 (Kerberos Service Ticket Request): Generated after the client receives the TGT and requests a TGS for the MSSQL server's SPN.

• Event ID 4624 (Logon): Logged in the Security log on the MSSQL server, indicating a successful logon once the client initiates a connection to the MSSQL server and logs in using the service account with the SPN to establish the connection.

Q1) To mitigate Kerberoasting attacks effectively, we need to strengthen the encryption Kerberos protocol uses. What encryption type is currently in use within the network?

index="kerberoasted" event.code=4769
| dedup winlog.event_data.ServiceName, winlog.event_data.TicketEncryptionType
| table winlog.event_data.ServiceName winlog.event_data.TicketEncryptionType

A quick Google search on the 0x17 encryption type.

Answer: RC4-HMAC

Q2) What is the username of the account that sequentially requested Ticket Granting Service (TGS) for two distinct application services within a short timeframe?

index="kerberoasted" event.code=4769
| stats values(winlog.event_data.ServiceName) as Ticketcount by winlog.event_data.TargetUserName

Currently, two users, Janesmith and Johndoe, are requesting TGS for five hosts.

index="kerberoasted" event.code=4769 (winlog.event_data.TargetUserName=janesmith* OR winlog.event_data.TargetUserName=johndoe*)
| stats values(winlog.event_data.ServiceName) by winlog.event_data.TargetUserName, _time
| sort -_time

Answer: johndoe

Q3) We must delve deeper into the logs to pinpoint any compromised service accounts for a comprehensive investigation into potential successful kerberoasting attack attempts. Can you provide the account name of the compromised service account?

index="kerberoasted" event.code=4769 (winlog.event_data.TargetUserName=janesmith* OR winlog.event_data.TargetUserName=johndoe*)
| stats count by winlog.event_data.TargetUserName, winlog.event_data.ServiceName
| table winlog.event_data.TargetUserName, winlog.event_data.ServiceName, count
| sort count

The attacker requested three tickets for the SQLService.

Answer: SQLService

Q4) To track the attacker's entry point, we need to identify the machine initially compromised by the attacker. What is the machine's IP address?

index="kerberoasted" event.code=4769 winlog.event_data.TargetUserName=johndoe*
| stats count by winlog.event_data.TargetUserName, winlog.event_data.ServiceName, winlog.event_data.IpAddress

Answer: 10.0.0.154

Q5) To understand the attacker's actions following the login with the compromised service account, can you specify the service name installed on the Domain Controller (DC)?

index="kerberoasted" event.code=7045
| table _time, host, winlog.event_data.ServiceName

Answer: iOOEDsXjWeGRAyGl

Q6) To grasp the extent of the attacker's intentions, What's the complete registry key path where the attacker modified the value to enable Remote Desktop Protocol (RDP)?

index="kerberoasted" event.code=1 winlog.event_data.Image="*reg.exe"
| table winlog.event_data.Image, winlog.event_data.CommandLine, winlog.event_data.ParentCommandLine

Or we can use Event Id 13.

index="kerberoasted" event.code=13 winlog.event_data.Image="*reg.exe"

Answer: HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections

Q7) To create a comprehensive timeline of the attack, what is the UTC timestamp of the first recorded Remote Desktop Protocol (RDP) login event?

index="kerberoasted" (event.code=4624 OR event.code=4625) winlog.event_data.LogonType=10
| table _time, event.code

Answer: 16-10-2023 07:50:29

Q8) To unravel the persistence mechanism employed by the attacker, What is the name of the WMI event consumer responsible for maintaining persistence?

Attackers often exploit Windows Management Instrumentation (WMI) as a stealthy persistence mechanism. WMI is a powerful framework in Windows that allows administrators to perform tasks like querying system information, managing files, and automating processes. However, attackers can abuse this legitimate functionality to establish persistence on a compromised system.

I used Sysmon Event ID 19, 20, and 21 to track WMI event filter creation, consumer creation, and binding activities.

index="kerberoasted" (event.code=19 OR event.code=20 OR event.code=21)
| table _time, event.code, winlog.event_data.EventType, winlog.event_data.Name, winlog.event_data.Query

Answer: Updater

Q9) Which class does the WMI event subscription filter target in the WMI Event Subscription you've identified?

Answer: Win32_NTLogEvent