Campfire-2

Scenario

Forela’s Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user’s ticket which has preauthentication disabled.

Questions

Questions

1. When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?
2. Please confirm the User Account that was targeted by the attacker.
3. What was the SID of the account?
4. It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.
5. We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?

Analysis

ASREPRoast

Explanation by HackTricks

ASREP-Roast is a security attack that exploits users who lack the Kerberos pre-authentication required attribute. Essentially, this vulnerability allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user’s password. The DC then responds with a message encrypted with the user’s password-derived key, which attackers can attempt to crack offline to discover the user’s password.

https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast

Detection Opportunities by MITRE

Monitor for anomalous activity, such as enabling Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]). https://attack.mitre.org/techniques/T1558/004/

Security - EventLog

PS> EvtxECmd.exe -f .\Security.evtx --csv . --csvf security.csv
 
<SNIP>
 
Metrics (including dropped events)
Event ID        Count
1100            1
4688            22
4696            2
4698            2
4699            2
4702            8
4768            11
4769            21
4771            1
4799            38
4826            2
5140            10
5142            12
5379            20

After processing the provided EVTX file with Zimmermann’s EvtxECmd tool I can reuse my filter from Campfire-1 since the both Kerberoasting and ASREP-Roasting can be detected using the same events and looking for the weak ticket encryption. In case multiple events are returned and to absolutely safe another indicator of ASREP-Roasting is checking whether the PreAuthType field is set to zero.

Contains([Payload Data4], 'RC4-HMAC') And [Event Id] In (4768, 4769)

This turns up a single event which tell me that a ASREPRoastable ticket was request at 2024-05-29 06:36:40 for the user forela.local\arthur.kyle with a SID S-1-5-21-3239415629-1862073780-2394361899-1601 from the machine with the IP 172[.]17[.]79[.]129.

{
  EventData: 
    Data: 
    [
        @Name: TargetUserName
        #text: arthur.kyle
        @Name: TargetDomainName
        #text: forela.local
        @Name: TargetSid
        #text: S-1-5-21-3239415629-1862073780-2394361899-1601
        @Name: ServiceName
        #text: krbtgt
        @Name: ServiceSid
        #text: S-1-5-21-3239415629-1862073780-2394361899-502
        @Name: TicketOptions
        #text: 0x40800010
        @Name: Status
        #text: 0x0
        @Name: TicketEncryptionType
        #text: 0x17
        @Name: PreAuthType
        #text: 0
        @Name: IpAddress
        #text: "::ffff:172.17.79.129"
        @Name: IpPort
        #text: 61965
        @Name: CertIssuerName
        @Name: CertSerialNumber
        @Name: CertThumbprint
    ]
}

Since I am using TimelineExplorer to look at the events the answer to question who performed the ASREPRoast is a quick search for the IP address away. This turns up a few events and among them is a A Kerberos service ticket was requested event from the alleged attacker machine. In this events the username of happy.grunwald can be found. This was to be excepted to a certain degree since if an insider carried out this attack they had to one point authenticate themselves to the Domain Controller, which can be correlated to the attack based on the source IP address.

Answers

Answers

1. When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

• 2024-05-29 06:36:40

2. Please confirm the User Account that was targeted by the attacker.

• arthur.kyle

3. What was the SID of the account?

• S-1-5-21-3239415629-1862073780-2394361899-1601

4. It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.

• 172[.]17[.]79[.]129

5. We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?

• happy.grunwald