Based on the scenario description, we know that pre-auth is disabled and this might be a AsREP roasting attack.
What is an AS-REP roasting attack?
Basically, it's when an attacker sends out an AS_REQ request to a domain controller (DC) in order to impersonate a user. Due to the misconfiguration, the DC will respond to the attacker with an AS_REP message which contains the targeted user's NT hash. The attacker will then take the hash and crack it offline.
Forela's Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user's ticket which has preauthentication disabled.
Question 1:
When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?
Quick and easy.
All we have to do is look for Event ID 4768 - this event is generated when a Kerberos TGT ticket is requested. As mentioned, pre-auth is disabled so if we go through the filtered events. The first entry with Pre-Authentication Type = 0 will be on 2024-05-29 06:36:40 UTC.
Answer: 2024-05-29 06:36:40
The Date and Time field in Windows Event Viewer will likely be in your local desktop time. Pivot to the XML View within "Details" tab for the UTC time.
Question 2:
Please confirm the User Account that was targeted by the attacker.
From the event above, we can see that the account name is arthur.kyle.
Answer: arthur.kyle
Question 3:
What was the SID of the account?
It is shown in the same event under User ID field.
It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.
In the same event as well, we can see it under Network Information. This section represents the machine which initiated the TGT request. Do note the Client Address field may look a bit strange, that's because it's in IPv6 format. The IPv4 address will be 172.17.79.129. For reference, the ::ffff:172.17.79.129 format is known as the IPv4-mapped IPv6 address.
Answer: 172.17.79.129
Question 5:
We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?
Based on the events above, we assume that the attacker has successfully cracked the domain user's password. Straight after the initial attack on domain user account arthur.kyle, we can see another user with the same IP address requested for a Kerberos TGS ticket and successfully gained access to several file shares on DC01.forela.local.
