IOC differences between Kerberoasting and AS-REP Roasting

Background:

Hello everyone! Thank you for tuning in. I was running some Kerberoast and AS-REP Roasting attack techniques on my Detection Lab, and noticed some really cool IOC (Indicator of Compromise) differences between the two. Before we get started though I want to explain these two attacks. Although you could categorize these two attack as the same, they are two pretty different attacks. So lets break it down.

Detection (Same Logs):

When doing this attack, I did it with the intent of collecting logs and IOC’s. While doing this, I was honestly surprised at what tools turned out to use the same logs to detect these two attacks, but there were 2 tools in particular that detected these attacks differently and they gave some pretty cool logs. Before I show those tools I want to show the tools that gave the same logs. Because they are the same I will only show one log, not both.

Splunk — Threat Hunting App:Credential_Access
Raw Logs
  1. Raw Logs: lsass.exe which is Local Security Authority Subsystem Service. It verifies users logging in on Windows environments. These credentials are stored in protected memory and anyone with Domain Access can actually dump those credentials. This file is often faked by malware or malicious attacks that are being ran against your system.

Detection (Difference in Logs):

I am going to show these logs, give a brief explanation then do a Difference section to show and explain the differences in the logs and how you can detect one attack from the other.

Kerberoast:

Native Windows Event Logging can be used to detect and alert the execution of the Kerberoast attack technique. For the robustness of this Detection to succeed, the Domain Controllers’ advanced security auditing policy, will need to be configured and enabled to log the Kerberos Authentication Service and Service Ticket Operations. This will allow the Domain Controller to log Kerberos Service Ticket requests.

Windows Event ID 4768: Kerberos authentication ticket (TGT) was requested
Windows Event ID 4769: Kerberos service ticket was requested
Wireshark: TGS-REQ/TGS-REP
Wireshark: TGS-REQ
Wireshark: TGS-REP

Kerberoast Queries

As shown an adversary can use the captured users domain credentials to request Kerberos TGS tickets for accounts that are associated with an SPN. This ticket can be requested in a specific format (RC4), so when taking it offline it is easier to crack. I have noticed however when specifying that the account requesting the service ticket isn’t a machine($) account, the krbtgt account, and the failure code is 0x0 this either gets us to the account that the adversary was using or limits down the results to where you can pick out the false positives to find the adversary easier.

Analytic Logic

Potential False Positives

  • Anytime a user wants access to a service, a service ticket is requested. Meaning, service tickets are requested very often in environments. This makes this attack hard to hunt for.

AS-REP Roasting:

Windows Event ID 4768: Kerberos authentication ticket (TGT) was requested
Windows Event ID 4625: An account failed to log on
Wireshark: Invalid creds Red Flag
Wireshark: AS-REQ/AS-REP
Wireshark: AS-REP
Wireshark: AS-REQ

Difference:

  1. In Windows Security Logs, Kerberoast will contain Event ID’s 4768 and 4769, where in AS-REP contains Event ID’s 4768 and 4625. The biggest indicator to me that one was AS-REP vs Kerberoast was the Failed login attempt along with there was no service ticket requested.
  2. I have pointed out a couple of differences of the attacks and their IOC’s, but this is to summarize it. Kerberoast has AS-REQ/AS-REP AND TGS-REQ/TGS-REP. AS-REP Roasting ONLY has AS-REQ/AS-REP. That is because Kerberoast is requesting a Service Account Authorization Ticket, where AS-REP is only requesting a Kerberos Authentication Ticket.

Summary:

In this article I have shown the main IOC differences between two different attacks. Kerberoasting and AS-REP Roasting. The Detection for Kerberoasting I would admit would be hard, simply because requesting for service tickets does happen a lot, BUT if you look for service request formatted in RC4, then I am sure you will get better luck.

Sources:

Detection Lab — Chris Long — https://github.com/clong/DetectionLab

--

--

Consultant @SpecterOps | Host @DCPThePodcast | Defensive Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jonathan Johnson

Consultant @SpecterOps | Host @DCPThePodcast | Defensive Security Researcher