HackTheBox: Campfire-2
Sherlock
Scenario: Forela's Network is under attack, with an alert raised about an old admin account requesting a ticket from the KDC on a domain controller. This account is marked inactive in the inventory, and the investigation aims to determine if this is an ASREP Roasting attack, where an attacker can request tickets for users with preauthentication disabled.
1. When did the ASREP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user?
To determine when the attack occurred:
Process the provided security event logs using EvtxECmd.
Command: EvtxECmd.exe -f Security.evtx --csv C:\Users\Username\Desktop\
Open the generated CSV file in Timeline Explorer.
Filter by Event ID 4768.
Check the Payload Data6 column for entries containing "Logon without Pre-Authentication," indicating an ASREP Roasting event.
2. Please confirm the User Account that was targeted by the attacker.
Continue filtering for Event ID 4768.
Scroll to the Payload Data1 column to identify the username of the targeted account.
3. What was the SID of the account?
In the same filtered view, locate the TargetSid field within the Payload column to find the Security Identifier (SID) of the account.
4. What is the internal IP address of the compromised asset?
In the same log entry, locate the internal IP address within the Payload content.
This information is critical for identifying the source machine involved in the attack.
5. What user account was used to perform the ASREP Roasting attack?
Remove the Event ID 4768 filter and apply a filter for the IP address identified in question 4.
The resulting entries will show the user account associated with the source IP address performing the ASREP Roasting attack.
Conclusion: This process identifies the timeline, user account, SID, and source IP of the ASREP Roasting attack, enabling further containment and threat-hunting activities. The identification of the compromised machine and user accounts assists in strengthening the incident response and improving security measures to prevent future attacks.