Task 4.4: Suspected Kerberos SPN exposure (Kerberoasting)

In this detection, Defender for Identity looks if an attacker uses tools to enumerate service accounts and their respective SPNs (Service Principal Names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.

Tools used in this test: https://github.com/r3motecontrol/Ghostpack-CompiledBinaries.

1. Switch to the WIN5 RDP session, signed in as MSMDI\JeffL.

2. In the Command window, run:

    c:\Tools\Rubeus.exe kerberoast /dc:DC01 /creduser:MSMDI.local\JeffL /credpassword:Passw0rd12!@
   

   You can safely ignore any errors that appear when running the commands.

For more information, review Suspected AS-REP Roasting attack (external ID 2412).