Overview
Threat actors can abuse the Kerberos protocol to recover passwords related to service accounts (Kerberoasting) or to take advantage of accounts that do not require pre-authentication (AS-REP roasting). You can use Blumira's Dogemira script to automatically create a Kerberos service account honey credential (honeytoken) that can help you to detect and prevent these threats.
Reference: See Defending Against Active Directory Kerberos Attacks for more details.
Before you begin
To ensure that Blumira can receive logs for detections, you must first:
- Integrate Blumira with your Windows machines by completing the steps in Automating Windows log collection with Poshim or by deploying Blumira Agent on your Windows endpoints.
-
Ensure auditing of Kerberos Service Ticket Operations is enabled. You can use Logmira, our predefined audit policy, to enable these events
Running the script
After downloading the DOGEMIRA.ps1 script, run it from an administrative PowerShell command prompt with a user account that has privileges to create Active directory accounts and SPNs. If you have a multi-domain forest, you will need to run this once for each domain within your forest.
Related findings
Blumira generates findings related to matches of the following:
- For "Kerberoast Attack Behavior - Honeytoken Interaction":
- Event ID: 4769
- Encryption type: 0x17
- Ticket options: 0x40810000, 0x40810010, or 0x60810010
- SPN Name: <Name of your honeycred / SPN name>
- For "AS-REP Roasting Attack":
- Event ID: 4768
- Encryption type: 0x17
- Ticket options: 0x40800010
- Account Name: <Name of your honeycred>
Testing the Kerberoast detection
You can test the "Kerberoast attack behavior" detection by running the two PowerShell commands below from a domain-joined Windows machine.
Add-Type -AssemblyName System.IdentityModel
setspn.exe -T #YOURDOMAIN# -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() }
Important: Change #YOURDOMAIN# to match the Windows domain for your organization before running the second command.