Kerberoasted Lab
Last updated
Last updated
During the Kerberos authentication process, several security-related events are generated in the Windows Event Log when a user connects to an MSSQL server:
Event ID 4768 (Kerberos TGT Request)
: Occurs when the client workstation requests a TGT from the KDC, generating this event in the Security log on the domain controller.
Event ID 4769 (Kerberos Service Ticket Request)
: Generated after the client receives the TGT and requests a TGS for the MSSQL server's SPN.
Event ID 4624 (Logon)
: Logged in the Security log on the MSSQL server, indicating a successful logon once the client initiates a connection to the MSSQL server and logs in using the service account with the SPN to establish the connection.
Q1) To mitigate Kerberoasting attacks effectively, we need to strengthen the encryption Kerberos protocol uses. What encryption type is currently in use within the network?
A quick Google search on the 0x17 encryption type.
Answer: RC4-HMAC
Q2) What is the username of the account that sequentially requested Ticket Granting Service (TGS) for two distinct application services within a short timeframe?
Currently, two users, Janesmith and Johndoe, are requesting TGS for five hosts.
Answer: johndoe
Q3) We must delve deeper into the logs to pinpoint any compromised service accounts for a comprehensive investigation into potential successful kerberoasting attack attempts. Can you provide the account name of the compromised service account?
The attacker requested three tickets for the SQLService.
Answer: SQLService
Q4) To track the attacker's entry point, we need to identify the machine initially compromised by the attacker. What is the machine's IP address?
Answer: 10.0.0.154
Q5) To understand the attacker's actions following the login with the compromised service account, can you specify the service name installed on the Domain Controller (DC)?
Answer: iOOEDsXjWeGRAyGl
Q6) To grasp the extent of the attacker's intentions, What's the complete registry key path where the attacker modified the value to enable Remote Desktop Protocol (RDP)?
Or we can use Event Id 13.
Answer: HKLM\System\CurrentControlSet\Control\Terminal Server\fDenyTSConnections
Q7) To create a comprehensive timeline of the attack, what is the UTC timestamp of the first recorded Remote Desktop Protocol (RDP) login event?
Answer: 16-10-2023 07:50:29
Q8) To unravel the persistence mechanism employed by the attacker, What is the name of the WMI event consumer responsible for maintaining persistence?
Attackers often exploit Windows Management Instrumentation (WMI) as a stealthy persistence mechanism. WMI is a powerful framework in Windows that allows administrators to perform tasks like querying system information, managing files, and automating processes. However, attackers can abuse this legitimate functionality to establish persistence on a compromised system.
I used Sysmon Event ID 19, 20, and 21 to track WMI event filter creation, consumer creation, and binding activities.
Answer: Updater
Q9) Which class does the WMI event subscription filter target in the WMI Event Subscription you've identified?
Answer: Win32_NTLogEvent