HTB Academy : Cybersecurity Training detecting kerberoasting in detecting windows attacks with splunk

slimchady · March 23, 2024, 4:42pm

Modify and employ the Splunk search provided at the “Detecting Kerberoasting - SPN Querying” part of this section on all ingested data (All time). Enter the name of the user who initiated the process that executed an LDAP query containing the “(&(samAccountType=805306368)(servicePrincipalName=)*” string at 2023-07-26 16:42:44 as your answer. Answer format: CORP_ any hints on this, i tried all usernames , none working

slimchady · March 23, 2024, 6:00pm

index=main earliest=“07/26/2023:00:00:00” latest=“07/28/2023:23:59:59” EventCode=4648 OR (EventCode=4769 AND service_name=iis_svc)
| dedup RecordNumber
| rex field=user “(?[^@]+)”
| search username!=*$
| transaction username keepevicted=true maxspan=5s endswith=(EventCode=4648) startswith=(EventCode=4769)
| where closed_txn=0 AND EventCode = 4769
| table _time, EventCode, service_name, username

suspense · April 20, 2024, 4:15pm

Your query gives 2 usernames but none of them working.
I built my query which results in more usernames. I tried all of them, none of them working
No idea how to move on…

feztix · May 5, 2024, 7:18am

search for all time

panipuriben · May 17, 2024, 9:37pm

What I am searching on splunk is:
index=main source=“WinEventLog:SilkService-Log”

| spath input=Message

| rename XmlEventData.* as *

| search “(&(samAccountType=805306368)(servicePrincipalName=)*”

Im searching this so I can read the entire output for the specific logs given for 2023-07-26 16:42:44

I then modified my search to:
index=main source=“WinEventLog:Security” ProcessId=7136

| table _time, AccountName, ComputerName, EventCode, ProcessId, ProcessName

| search earliest=“07/26/2023:00:00:00”

I am not sure what to do at this point. Any hints/helps please?? Thankss!

filippoG · May 20, 2024, 10:17pm

Hello,

Modify the SPN query (search all time):

index=main source="WinEventLog:SilkService-Log" 
| spath input=Message 
| rename XmlEventData.* as * 
| table _time, ComputerName, ProcessName, DistinguishedName, SearchFilter 
| search SearchFilter="*(&(samAccountType=805306368)(servicePrincipalName=*)*"

this is a proof that an LDAP query was launched to discover samAccountName=iis_svc (identified by timestamp).

Logs does not contain the user who launched the query.

To find the user you need to find the TGS request for this account at that time range.
Try this query:

index=main EventCode=4648 OR (EventCode=4769 AND service_name=iis_svc)
| dedup RecordNumber
| rex field=user "(?<username>[^@]+)"
| search username!=*$ 
| transaction username keepevicted=true maxspan=5s endswith=(EventCode=4648) startswith=(EventCode=4769) 
| where closed_txn=0 AND EventCode = 4769
| table _time, EventCode, service_name, username

and look at the timestamp… Which is the user who requested TGS at the same LDAP timestamp?

CORP\LANDON_HINES

continent · June 9, 2024, 12:54am

Thanks for the answer.
Though, these queries are very confusing.
On one hand the query includes event code = 4648 and at the end of the query it excludes the events with that same event code.

For example, take this query:

index=main earliest=1690450374 latest=1690450483 EventCode=4648 OR (EventCode=4769 AND service_name=iis_svc)
| dedup RecordNumber
| rex field=user "(?<username>[^@]+)"
| bin span=2m _time 
| search username!=*$ 
| stats values(EventCode) as Events, values(service_name) as service_name, values(Additional_Information) as Additional_Information, values(Target_Server_Name) as Target_Server_Name by _time, username
| where !match(Events,"4648")

At the beginning it selects events with event code 4648 and at the end it discards them.

The same appears to be true for this one:
index=main earliest=1690450374 latest=1690450483 EventCode=4648 OR (EventCode=4769 AND service_name=iis_svc)
| dedup RecordNumber
| rex field=user "(?<username>[^@]+)"
| search username!=*$ 
| transaction username keepevicted=true maxspan=5s endswith=(EventCode=4648) startswith=(EventCode=4769) 
| where closed_txn=0 AND EventCode = 4769
| table _time, EventCode, service_name, username

As it relates to the last query, the notes say: 
This query focuses on identifying events with an EventCode of 4769 that are part of an incomplete transaction (i.e., they did not end with an event with EventCode 4648 within the 5-second window).

Why add event code 4648 if it is not needed?

Recall event code 4648=A logon was attempted using explicit credentials.

In a kerberoasting attack there is no attempted login. The attacker gets the hash and cracks the hash offline.

Does anybody have any explanation?

Thanks

Jacsson · August 30, 2024, 9:08pm

My apport at forum:

index=main (EventCode=4648 OR EventCode=4769) AND service="iis_svc"
| rex field=user "(?<username>[^@]+)"
| eval _time_str=strftime(_time, "%Y-%m-%d %H:%M:%S")
| search _time_str="2023-07-26 16:42:*"
| table service_id, username, service, _time
| where !match(username, "\w+\$")
| dedup username