Windows Events

Analyzing Domain Controller Security Logs

Security Logs record Event ID 4769 on a domain controller whenever a Kerberos service ticket is requested

Open the event file of the domain controller.

Filter by the event ID

We still get a lot of events.

Understanding kerberos ticket request

Here we can see that Account Name “DC01$” requested a service ticket for service named DC01$. In Windows names ending with $ are typically service accounts and machine accounts. Similarly, the DC01$ service is related to that service account.

This all belongs to normal Active Directory operations. Below that we can see an option named “Ticket Encryption type” with the value of 0x12 which equals to “AES256-CTS-HMAC-SHA1-96 ”.

In legitimate use cases for Kerberos ticket operations, the encryption type would be 0x12 or 0x11.

But if we see an encryption type “0x17” which is RC4 encryption, that would be a clue to look into this further, as an attacker may request a ticket in this encryption type because it allows them to crack the password.

All major open-source tools, like Impacket and Rubeus, request tickets in RC4 encryption type.

To further reduce the chances of false positives, we can filter out requests from other service accounts and machine accounts.

Service accounts request service tickets from domain controllers all the time; that’s the nature of how service accounts work. To further reduce the events to investigate, we can filter out requests from service names starting with “$”—they are computer accounts or other service account-related services that Windows uses as part of its operations.

We can search for the 0x17 encryption type and events.

We can see that a domain Account “alonzo.spire” requested a ticket for a service name “MSSQLService” with an encryption type of 0x17 from a workstation with IP Address 172.17.79.129.

Notice that both the account name and service name do not end with $.

For SIEMS

SOC analysts can query the logs in SIEMs to create a filter for all the things mentioned.

With the filters discussed above we’re snooping for a 4769 event where:

1. Account name that is NOT a service or machine account (ending with $), so any normal domain user account (this would be the account which is compromised and from which the attacker performed this attack.)

2. Service Names that do NOT end with $.

3. Ticket encryption type will be 0x17 which is RC4 encryption, allowing attackers to easily crack the hash.

The follow-up to this detection would be to:

Create a timeline of when this event was generated.
Do a forensic analysis of the machine with IP Address 172.17.79.129, and find out how the “alonzo.spire” user account got compromised.
We can use artifacts like Process Logs from Sysmon if available, prefetch, lnk files, Managed File Transfer (MFT), or registry to gain insights on what occurred around the time when Kerberoasting activity was noticed.

Filter logs by Event ID 4768 (AS-REP Roasting)

Event ID 4768 is an event ID recorded in Security Logs on the domain controller whenever a Kerberos Authentication ticket is requested.

Depending on the Active directory size and assets, this can be well over thousands of tickets per minute by different accounts in the network.

Now lets understand the log

Account Name: The user account that requested an authentication ticket from the domain controller.
Service Name: Name of the service that handled the ticket.
Ticket Encryption type: Depicts the Ticket encryption algorithm used (For example aes, RC4, etc).
Pre-Authentication Type: The status code shows whether pre-authentication was disabled or enabled for the said object (The Account Name).

We can see that the administrator user requested an authentication ticket and the service name is krbtgt. This is regular operations and whenever an account logs in to a workstation, krbtgt is a universal AD service that handles Kerberos authentications.

Now let's discuss a few of the filters or conditions that would indicate a possible attack.

In legitimate use cases for Kerberos ticket operations, the encryption type would be 0x12 or 0x11.

Note💡: All major open-source tools, like Impacket and Rubeus, request tickets in RC4 encryption type.

User accounts request authentication tickets from domain controllers all the time; that’s the nature of how Active Directory Kerberos authentication works.

To further reduce the events to investigate, we can filter out requests from all service names other than “krbtgt”.

This is because during this attack, the attacker retrieves the authentication ticket just like a legitimate user account would, and krbtgt is a default AD Service that handles the authentication flow in Active Directory.

The major indicator that the AS-REP attack has been successful (the attacker managed to get the ticket, whether they cracked it or not is another case) is the pre-authentication type value in the resultant logs.

Note:💡A great way to threat hunt for this attack is to just look for pre-authentication type = 0, which means it is disabled. This would already remove 90 percent of the noise in the logs, leaving more granular results to go through.

SOC analysts can query the logs in SIEMs to create a filter for all the things mentioned.

With the filters discussed above we’re snooping for a 4768 event where:

Pre-Authentication Type is 0, which means it is disabled. This is a major condition to be fulfilled as without this condition, the attack can’t happen.
Service Name should always be krbtgt. This is also straightforward. As only krbtgt can perform authentication-related processes in AD.
Ticket encryption type will be 0x17 which is RC4 encryption, allowing attackers to easily crack the hash.

Here’s an example of identifying an actual event that was the result of a AS-REP attack using the detection tips above:

This event fulfills all the conditions we set which would highly indicate AS-REP Roasting activity. We can see that a domain Account “arthur.kyle” requested an authentication ticket for a user whose pre-authentication is disabled, with an encryption type of 0x17 from a workstation with IP Address 172.17.79.129.

Hack The Boxapp.hackthebox.com

Analyzing Power shell logs

we can see executed commands/scripts by filtering for event ID 4104.

Powerview has been used

PreviousWindows Forensics NextMFT

Last updated 1 year ago