In this lab walkthrough, we will explore the detection and investigation of a Kerberoasting attack, a prevalent technique used by attackers to exploit vulnerabilities within the Kerberos authentication protocol in Windows environments. Kerberoasting allows adversaries to extract Kerberos service tickets (TGS tickets) from memory, which are encrypted with the password hashes of service accounts. By cracking these tickets offline, attackers can gain unauthorized access to privileged accounts without triggering immediate alarms.
As a cyber threat hunter, your task is to investigate suspicious Kerberos-related activity within the organization’s network. Using Splunk, a powerful Security Information and Event Management (SIEM) tool, you will analyze Windows Event Logs to identify potential indicators of compromise, such as weak encryption types, unusual ticket request patterns, and unauthorized service account logins. The lab will guide you through querying event logs for specific Event IDs, examining Kerberos ticket requests, successful logins, and system modifications that may indicate post-exploitation activity.
Throughout this investigation, you will uncover various tactics used by attackers to escalate privileges, establish persistence, and maintain control over compromised systems.