Deploying a Blumira honeytoken with Dogemira

Overview

Threat actors can abuse the Kerberos protocol to recover passwords related to service accounts (Kerberoasting) or to take advantage of accounts that do not require pre-authentication (AS-REP roasting). You can use Blumira's Dogemira script to automatically create a Kerberos service account honey credential (honeytoken) that can help you to detect and prevent these threats.

Reference: See Defending Against Active Directory Kerberos Attacks for more details.

Before you begin

To ensure that Blumira can receive logs for detections, you must first:

• Integrate Blumira with your Windows machines by completing the steps in Automating Windows log collection with Poshim or by deploying Blumira Agent on your Windows endpoints.

• Ensure auditing of Kerberos Service Ticket Operations is enabled. You can use Logmira, our predefined audit policy, to enable these events

Running the script

After downloading the DOGEMIRA.ps1 script, run it from an administrative PowerShell command prompt with a user account that has privileges to create Active directory accounts and SPNs. If you have a multi-domain forest, you will need to run this once for each domain within your forest.

Enabling detection rules

After implementing the honeytoken, enable these detection rules in Blumira (Settings > Detection Rules):

• Kerberoast attack behavior
• AS-REP Roasting Attack

Reference: See Enabling the detection rules your organization needs for instructions.

With these detection rules enabled, Blumira generates findings related to matches of the following:

• For Kerberoast attack behavior:
  • Event ID: 4769
  • Encryption type: 0x17
  • Ticket options: 0x40810000, 0x40810010, or 0x60810010
  • SPN Name: <Name of your honeycred / SPN name>
• For AS-REP Roasting Attack:
  • Event ID: 4768
  • Encryption type: 0x17
  • Ticket options: 0x40800010
  • Account Name: < Name of your honeycred >

Testing the Kerberoast detection

You can test the "Kerberoast attack behavior" detection by running the two Powershell commands below from a domain-joined windows machine.

Add-Type -AssemblyName System.IdentityModel

setspn.exe -T #YOURDOMAIN# -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } 

Important: Change #YOURDOMAIN# to match the windows domain for your organization before running the second command.