Alonzo Spotted Weird files on his computer and informed the newly assembled SOC Team. Assessing the situation it is believed a Kerberoasting attack may have occurred in the network. It is your job to confirm the findings by analyzing the provided evidence. You are provided with: 1- Security Logs from the Domain Controller 2- PowerShell-Operational Logs from the affected workstation 3- Prefetch Files from the affected workstation
https://app.hackthebox.com/sherlocks/737
Make sure to read this blog before solving the lab. It covers an Active Directory attack detection (Kerberoasting) and was published by Cyberjunkie, the challenge creator
https://www.hackthebox.com/blog/kerberoasting-attack-detection#mcetoc_1i0qrvkrf0
We are currently investigating potential Kerberoasting activity by analyzing Domain Controller security logs. The key log we focus on is Event ID 4769, which indicates a Ticket Granting Service (TGS) request.
To identify signs of Kerberoasting, we look for a high volume of these events or specific entries where the encryption type used is RC4-HMAC (0x17). This is significant because popular tools used in Kerberoasting attacks—such as Impacket and Rubeus—typically request TGS tickets with RC4 encryption due to its weaker security and offline cracking potential.
While reviewing the logs, we identified multiple entries matching these criteria. However, it's important to filter out requests for host-based SPNs, as these are generally not vulnerable to Kerberoasting attacks. Instead, we focus on service accounts with custom SPNs and RC4 encryption.
In this case, we confirmed Kerberoasting activity at the timestamp 2024-05-21 03:18:09, based on the combination of:
0x17)