Write-up author: jon-brandy
- Using EventViewer to analyze DC's security logs.
- Kerberoasting Attack Analysis.
- Using PECmd.exe to convert prefetch file to csv format.
- Using Timeline Explorer to review the csv formatted prefetch file.
- Identifying common kerberoasting tools.
Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with: 1- Security Logs from the Domain Controller 2- PowerShell-Operational Logs from the affected workstation 3- Prefetch Files from the affected workstation
- In this case, we're tasked to investigate a kerberoasting attack on Alonzo's computer. It is known that he spotted few weird files on hits computer.
- Later on, SOC team is informed and asked to assess the situation.
- SOC team found the situation is a result of kerberoasting attack in the network and we're asked to confirm their findings by analyzing the provided evidence.
- We're provided with security logs from Domain Controller, Powershell-Operational Logs, and Prefetch files from the affected workstation.
1ST QUESTION --> ANS:
2024-05-21 03:18:09
- The easiest way to identify the initial kerberoasting attempt, we need to filter for EventID 4769 (A Kerberos service ticket was requested).
- Next, check for the service name that is not krbtgt or ends with $ sign (it indicates a workstation).
- Also note that the ticket type should be 0x17 along with the failure code must be 0x0.
- Upon reviewing every logs, found one log which met our requirements.
2ND QUESTION --> ANS: MSSQLService
- Based from the log, seems MSSQLService is the targeted service name.
- Upon reviewing the previous log, we can identify that the workstation used for this kerberoasting attack is FORELA-WKSTN001.
3RD QUESTION --> ANS:
172.17.79.129
- The IP address of the workstation is also shown at the initial kerberoasting attempt and it's previous log.
4TH QUESTION --> ANS: powerview.ps1
- Moving on to the powershell event logs. We can identify which powershell script used by the threat actor to enumerate AD objects and hunt for kerberoastable accounts in the network.
- Upon further review to the script and searching for variables naming related to AD and it's logic. We can confirm that it is indeed the used script.
5TH QUESTION --> ANS:
2024-05-21 03:16:32
- Based from our previous identification, the initial execution of the script is at
2024-05-21 03:16:32
6TH QUESTION --> ANS:
C:\Users\Alonzo.spire\Downloads\Rubeus.exe
- After identified which account is kerberoastable, the threat actor continue it's attack scheme by executing a specific tool for kerberoasting.
- Upon reviewing the prefetch file given, a tool named
RUBEUScaught my attention. - Things to note, RUBEUS, IMPACKET, GetUserSPN.py, and POWERSPLOIT (Invoke-Kerberoast) are common tools used for kerberoasting.
- Now let's convert the prefetch file to a csv file then review it using Timeline Explorer to gain more info about the tool properties.
USING PECmd.exe to convert .pf file to csv.
.\PECmd.exe -f 'pathfile.pf' --csv . --csvf result.csv
RESULT IN TIMELINE EXPLORER
- To identify it's path, simply check the
Files Loadedcolumn.
- Nice! We've identified the full path.
7TH QUESTION --> ANS:
2024-05-21 03:18:08
- Next to identify the execution timestamp, simply check the
Last Runcolumn.
- Great! We've investigated the case!
https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/auditing/event-4769
https://www.cybertriage.com/blog/dfir-breakdown-kerberoasting/