Quick Links

Deploying a Blumira honeytoken with Dogemira

Overview

Threat actors can abuse the Kerberos protocol to recover passwords related to service accounts (Kerberoasting) or to take advantage of accounts that do not require pre-authentication (AS-REP roasting). You can use Blumira's Dogemira script to automatically create a Kerberos service account honey credential (honeytoken) that can help you to detect and prevent these threats.

Reference: See Defending Against Active Directory Kerberos Attacks for more details.

Before you begin

To ensure that Blumira can receive logs for detections, you must first:

Running the script

After downloading the DOGEMIRA.ps1 script, run it from an administrative PowerShell command prompt with a user account that has privileges to create Active directory accounts and SPNs. If you have a multi-domain forest, you will need to run this once for each domain within your forest.

Related findings

Blumira generates findings related to matches of the following:

  • For "Kerberoast Attack Behavior - Honeytoken Interaction":
    • Event ID: 4769
    • Encryption type: 0x17
    • Ticket options: 0x40810000, 0x40810010, or 0x60810010
    • SPN Name: <Name of your honeycred / SPN name>
  • For "AS-REP Roasting Attack":
    • Event ID: 4768
    • Encryption type: 0x17
    • Ticket options: 0x40800010
    • Account Name: <Name of your honeycred>

Testing the Kerberoast detection

You can test the "Kerberoast attack behavior" detection by running the two PowerShell commands below from a domain-joined Windows machine.

Add-Type -AssemblyName System.IdentityModel
setspn.exe -T #YOURDOMAIN# -Q */* | Select-String '^CN' -Context 0,1 | % { New-Object System.IdentityModel.Tokens.KerberosRequestorSecurityToken -ArgumentList $_.Context.PostContext[0].Trim() } 

Important: Change #YOURDOMAIN# to match the Windows domain for your organization before running the second command.