Scenario

Forela’s Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user’s ticket which has preauthentication disabled.

Task 1 – When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

AS-REP Roasting is an Active Directory attack that lets an attacker extract password hashes without knowing any credentials, if the target account is misconfigured.

In AD, a user account might have: “Do not required Kerberos preauthentication” = enabled.

When this is set:

The KDC will return an AS-REP
That AS=REP is encrypted with the user’s password

Attack Flow:

Attacker queries the domain controller for users without pre-auth
DC responds with AS-REP encrypted data
Attacker offline cracks it
Password recovered → domain access

Detecting AS-REP Roasting:

Look for Event ID 4768: Kerberos Authentication Ticket (TGT) requested
Pre-Authentication Type = 0
Ticket Encryption Type = 0x17 (RC4)
Multiple 4768s for different users from the same IP
Source IP = non-DC workstation /attacker host

Filtering on Event ID 4768 in the Security.evtx, we find a request on 2024-05-29 08:36:40 which is equivalent to 2024-05-29 06:36:40 UTC:

Task 2 – Please confirm the User Account that was targeted by the attacker.

Based on the previous log found, the user is arthur.kyle

Task 3 – What was the SID of the account?

Based on the previous log, the SID is S-1-5-21-3239415629-1862073780-2394361899-1601

Task 4 – It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.

Based on the previous log, the attacker’s IP is 172.17.79.129

Task 5 – We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?

The IP 172.17.79.129 is used by happy.grunwald and this user directly after requesting TGT requests a TGS (Event ID 4769 generated) from the same IP

Campfire-2 – Hack The Box Sherlock

Scenario

Task 1 – When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

Task 2 – Please confirm the User Account that was targeted by the attacker.

Task 3 – What was the SID of the account?

Task 4 – It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.

Task 5 – We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?

Support – Hack The Box

Timelapse – Hack The Box

Sauna – Hack The Box

Forest

Active – Hack The Box

Scenario

Task 1 – When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

Task 2 – Please confirm the User Account that was targeted by the attacker.

Task 3 – What was the SID of the account?

Task 4 – It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.

Task 5 – We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?

Related Posts

Trending now