Scenario
Forela’s Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user’s ticket which has preauthentication disabled.
Questions
Questions
- When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?
- Please confirm the User Account that was targeted by the attacker.
- What was the SID of the account?
- It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.
- We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?
Analysis
ASREPRoast
Explanation by HackTricks
ASREP-Roast is a security attack that exploits users who lack the Kerberos pre-authentication required attribute. Essentially, this vulnerability allows attackers to request authentication for a user from the Domain Controller (DC) without needing the user’s password. The DC then responds with a message encrypted with the user’s password-derived key, which attackers can attempt to crack offline to discover the user’s password.
https://book.hacktricks.xyz/windows-hardening/active-directory-methodology/asreproast
Detection Opportunities by MITRE
Monitor for anomalous activity, such as enabling Audit Kerberos Service Ticket Operations to log Kerberos TGS service ticket requests. Particularly investigate irregular patterns of activity (ex: accounts making numerous requests, Event ID 4768 and 4769, within a small time frame, especially if they also request RC4 encryption [Type 0x17], pre-authentication not required [Type: 0x0]). https://attack.mitre.org/techniques/T1558/004/
Security - EventLog
PS> EvtxECmd.exe -f .\Security.evtx --csv . --csvf security.csv
<SNIP>
Metrics (including dropped events)
Event ID Count
1100 1
4688 22
4696 2
4698 2
4699 2
4702 8
4768 11
4769 21
4771 1
4799 38
4826 2
5140 10
5142 12
5379 20
After processing the provided EVTX file with Zimmermann’s EvtxECmd tool I can reuse my filter from Campfire-1 since the both Kerberoasting and ASREP-Roasting can be detected using the same events and looking for the weak ticket encryption. In case multiple events are returned and to absolutely safe another indicator of ASREP-Roasting is checking whether the PreAuthType
field is set to zero.
Contains([Payload Data4], 'RC4-HMAC') And [Event Id] In (4768, 4769)
This turns up a single event which tell me that a ASREPRoastable ticket was request at 2024-05-29 06:36:40
for the user forela.local\arthur.kyle
with a SID S-1-5-21-3239415629-1862073780-2394361899-1601
from the machine with the IP 172[.]17[.]79[.]129
.
{
EventData:
Data:
[
@Name: TargetUserName
#text: arthur.kyle
@Name: TargetDomainName
#text: forela.local
@Name: TargetSid
#text: S-1-5-21-3239415629-1862073780-2394361899-1601
@Name: ServiceName
#text: krbtgt
@Name: ServiceSid
#text: S-1-5-21-3239415629-1862073780-2394361899-502
@Name: TicketOptions
#text: 0x40800010
@Name: Status
#text: 0x0
@Name: TicketEncryptionType
#text: 0x17
@Name: PreAuthType
#text: 0
@Name: IpAddress
#text: "::ffff:172.17.79.129"
@Name: IpPort
#text: 61965
@Name: CertIssuerName
@Name: CertSerialNumber
@Name: CertThumbprint
]
}
Since I am using TimelineExplorer to look at the events the answer to question who performed the ASREPRoast is a quick search for the IP address away. This turns up a few events and among them is a A Kerberos service ticket was requested
event from the alleged attacker machine. In this events the username of happy.grunwald
can be found.
This was to be excepted to a certain degree since if an insider carried out this attack they had to one point authenticate themselves to the Domain Controller, which can be correlated to the attack based on the source IP address.
Answers
Answers
- When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?
2024-05-29 06:36:40
- Please confirm the User Account that was targeted by the attacker.
arthur.kyle
- What was the SID of the account?
S-1-5-21-3239415629-1862073780-2394361899-1601
- It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.
172[.]17[.]79[.]129
- We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?
happy.grunwald