Scenario

Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence.

You are provided with:

1- Security Logs from the Domain Controller

2- PowerShell-Operational Logs from the affected workstation

3- Prefetch Files from the affected workstation

Task 1 – Analyzing Domain Controller Security Logs, can you confirm the UTC date & time when the kerberoasting activity occurred?

Kerberoasting is a post-exploitation attack technique targeting the Kerberos authentication protocol, enabling adversaries to extract encrypted service account credentials from Active Directory. In such an attack, an authenticated domain user requests a Kerberos ticket for a Service Principal Name (SPN).
Let’s first filter on Event ID 4769: A Kerberos Service Ticket was Requested. We find a single ticket with encryption type 0x17 (RC4):

The kerberoasting activity occured at 2024-05-21 05:18:09 but we should transform it to UTC which is 2024-05-21 03:18:09

Task 2 – What is the Service Name that was targeted?

Based on the previous question, the service name is MSSQLService

Task 3 – It is really important to identify the Workstation from which this activity occurred. What is the IP Address of the workstation?

Looking at the same log, we find the IP address 172.17.79.129

Task 4 – Now that we have identified the workstation, a triage including PowerShell logs and Prefetch files are provided to you for some deeper insights so we can understand how this activity occurred on the endpoint. What is the name of the file used to Enumerate Active directory objects and possibly find Kerberoastable accounts in the network?

Looking at PowerShell logs, we find powerview.ps1:

Task 5- When was this script executed? (UTC)

Looking at PowerShell Event ID 4104, we find 2024-05-21 03:16:32 UTC (2024-05-21 05:16:32)

Task 6 – What is the full path of the tool used to perform the actual kerberoasting attack?

We first look at the prefetch folder and find Rubeus (tool that can be used to kerberoast). We then dump the prefetch using PECmd.exe from Eric Zimmerman tools:

PECmd.exe -f campfire-1\\Triage\\Workstation\\2024-05-21T033012_triage_asset\\C\\Windows\\prefetch\\RUBEUS.EXE-5873E24B.pf

Then we find the exact location:

Task 7 – When was the tool executed to dump credentials? (UTC)

In the prefetch, we find the last run to be: 2024-05-21 03:18:08

Campfire-1 – Hack The Box Sherlock

Scenario

Task 1 – Analyzing Domain Controller Security Logs, can you confirm the UTC date & time when the kerberoasting activity occurred?

Task 2 – What is the Service Name that was targeted?

Task 3 – It is really important to identify the Workstation from which this activity occurred. What is the IP Address of the workstation?

Task 5- When was this script executed? (UTC)

Task 6 – What is the full path of the tool used to perform the actual kerberoasting attack?

Task 7 – When was the tool executed to dump credentials? (UTC)

Support – Hack The Box

Timelapse – Hack The Box

Sauna – Hack The Box

Forest

Active – Hack The Box

Scenario

Task 1 – Analyzing Domain Controller Security Logs, can you confirm the UTC date & time when the kerberoasting activity occurred?

Task 2 – What is the Service Name that was targeted?

Task 3 – It is really important to identify the Workstation from which this activity occurred. What is the IP Address of the workstation?

Task 5- When was this script executed? (UTC)

Task 6 – What is the full path of the tool used to perform the actual kerberoasting attack?

Task 7 – When was the tool executed to dump credentials? (UTC)

Related Posts

Trending now