campfire-2

Released2024-06-27
Retired2024-06-27
AuthorCyberJunkie
ctf sherlock very easy windows evtx

Scenario

Forela’s Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user’s ticket which has preauthentication disabled.

Task 01

Question: When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?

The only available artifact is a Security.evtx file. This can be quickly scanned using hayabusa to gain an overview of the relevant activities. In addition to generating a json-timeline, the switches -w (for using the default configuration without prompts) and -U (to output timestamps in UTC) are used:

hayabusa.exe json-timeline -w -U -d . -o hayabusa.json

During the preparation for Kerberoasting, one of the default rules triggers, indicating a suspicious request for an RC4-encrypted ticket (identified by the encryption type 0x17):

{
    "Timestamp": "2024-05-29 06:36:40.246 +00:00",
    "RuleTitle": "Possible AS-REP Roasting (RC4 Kerberos Ticket Req)",
    "Level": "med",
    "Computer": "DC01.forela.local",
    "Channel": "Sec",
    "EventID": 4768,
    "RecordID": 6241,
    "Details": {
        "TgtUser": "arthur.kyle",
        "Svc": "krbtgt",
        "SrcIP": "::ffff:172.17.79.129",
        "Status": "0x0",
        "PreAuthType": 0
    },
    "ExtraFieldInfo": {
        "CertIssuerName": "",
        "CertSerialNumber": "",
        "CertThumbprint": "",
        "IpPort": 61965,
        "ServiceSid": "S-1-5-21-3239415629-1862073780-2394361899-502",
        "TargetDomainName": "forela.local",
        "TargetSid": "S-1-5-21-3239415629-1862073780-2394361899-1601",
        "TicketEncryptionType": "0x17",
        "TicketOptions": "0x40800010"
    }
}

Answer: 2024-05-29 06:36:40

Task 02

Question: Please confirm the User Account that was targeted by the attacker.

The alert generated in Task 01 regarding the RC4 ticket request also contains, in its Details block, the username of the affected account.

"Details": {
    "TgtUser": "arthur.kyle",
    "Svc": "krbtgt",
    "SrcIP": "::ffff:172.17.79.129",
    "Status": "0x0",
    "PreAuthType": 0
}

Answer: arthur.kyle

Task 03

Question: What was the SID of the account?

The alert generated in Task 01 also includes the SID of the affected account. This can be found in the ExtraFieldInfo block of the corresponding event within the generated hayabusa JSON-Timeline.

"ExtraFieldInfo": {
	"CertIssuerName": "",
	"CertSerialNumber": "",
	"CertThumbprint": "",
	"IpPort": 61965,
	"ServiceSid": "S-1-5-21-3239415629-1862073780-2394361899-502",
	"TargetDomainName": "forela.local",
	"TargetSid": "S-1-5-21-3239415629-1862073780-2394361899-1601",
	"TicketEncryptionType": "0x17",
	"TicketOptions": "0x40800010"
}

Answer: S-1-5-21-3239415629-1862073780-2394361899-1601

Task 04

Question: It is crucial to identify the compromised user account and the workstation responsible for this attack. Please list the internal IP address of the compromised asset to assist our threat-hunting team.

The address of the compromised workstation is also part of the Details block of the previously identified alert.

"Details": {
	"TgtUser": "arthur.kyle",
	"Svc": "krbtgt",
	"SrcIP": "::ffff:172.17.79.129",
	"Status": "0x0",
	"PreAuthType": 0
},

Answer: 172.17.79.129

Task 05

Question: We do not have any artifacts from the source machine yet. Using the same DC Security logs, can you confirm the user account used to perform the ASREP Roasting attack so we can contain the compromised account/s?

Approximately one minute after the request for the more easily decrypted RC4 ticket, there is another request from the same, now known to be compromised, IP address, followed by access to network shares, including C:\Shares\DC-Confidential. The associated user account is logged in each of these accesses.

{
    "Timestamp": "2024-05-29 06:37:49.227 +00:00",
    "RuleTitle": "Kerberos Service Ticket Requested",
    "Level": "info",
    "Computer": "DC01.forela.local",
    "Channel": "Sec",
    "EventID": 4769,
    "RecordID": 6242,
    "Details": {
        "TgtUser": "[email protected]",
        "Svc": "DC01$",
        "SrcIP": "::ffff:172.17.79.129",
        "Status": "0x0"
    },
    "ExtraFieldInfo": {
        "IpPort": 61975,
        "LogonGuid": "543ACECF-87DD-45D9-CF0D-6C1F28070DC3",
        "ServiceSid": "S-1-5-21-3239415629-1862073780-2394361899-1000",
        "TargetDomainName": "FORELA.LOCAL",
        "TicketEncryptionType": "0x12",
        "TicketOptions": "0x40810000",
        "TransmittedServices": "-"
    }
}

Answer: happy.grunwald