ShadowRoast
Last updated
Last updated
As a cybersecurity analyst at TechSecure Corp, you have been alerted to unusual activities within the company's Active Directory environment. Initial reports suggest unauthorized access and possible privilege escalation attempts.
Your task is to analyze the provided logs to uncover the attack's extent and identify the malicious actions taken by the attacker. Your investigation will be crucial in mitigating the threat and securing the network.
Note: I will not mention any activity outside the lab scope.
Based on the lab environment structure (Office-PC, FileServer, DC01), we assumed the attack originated from the Office-PC.
I started by looking for suspicious processes or any unusual programs executed on Office-PC. Luckily, we have Sysmon, which allows us to use Event Code 1 (Process Creation) instead of 4688, as it provides more detailed information about process execution.
I used the following query:
The attacker downloaded an executable file named AdobeUpdater.exe and launched it using the Windows GUI (explorer.exe), which led to initial access. Upon execution, AdobeUpdater.exe spawned cmd.exe, which then executed PowerShell.
The AS-REP Roasting attack is a technique targeting Kerberos, a network authentication protocol used in various IT infrastructures. This attack focuses on user accounts that have disabled the Kerberos preauthentication feature.
In a standard Kerberos authentication flow, when pre-authentication is active, the user initiates the process by transmitting an Authentication Server Request (AS-REQ) to the domain controller (DC). This message includes a timestamp encrypted using the hash of the user's password. The DC, upon receipt, tries to decrypt the timestamp using its stored version of the user's password hash. If successful, the DC acknowledges the authentication by replying with an Authentication Server Response (AS-REP), which houses a Ticket Granting Ticket (TGT) issued by the Key Distribution Center (KDC). This TGT is pivotal for the user's subsequent access requests within the domain.
So, did the attacker gain access? Which user account was compromised?
The attacker gained access to the tcooper account. This means we now have two compromised accounts: tcooper and sanderson.
Following this, the attacker downloaded another tool in the same directory, named DefragTool.exe. Upon checking its hash (SHA256: 92804faaab2175dc501d73e814663058c78c0a042675a8937266357bcfb96c50), we identified it as Mimikatz. The attacker used this tool to dump credentials and escalate privileges and gain SYSTEM access.
The attacker maintained persistence by using the Run registry key through a PowerShell command executed via AdobeUpdater.exe.
The Run key ensures that the program runs every time the user logs on to the system.
After gaining access to the tcooper account, the attacker enabled RDP by modifying the fDenyTSConnections registry key.
The attacker attempted to exfiltrate some data. To check for this, I used the following query:
And that was the lab!
I hope you enjoyed it :)
Next, the attacker downloaded Rubeus.exe under the name BackupUtility.exe (SHA256: 1bfbefa4ff4d0df3ee0090b5079cf84ed2e8d5377ba5b7a30afd88367d57b9ff) to perform an AS-REP Roasting attack. The attacker specifically formatted the output to be compatible with for offline cracking.
For more details, refer to .
For more details, refer to .
Lab Link:
