Skip to main contentSkip to main content
Room Banner
Back to all walkthroughs
Room Icon

Detecting AD Credential Attacks

Premium room

Detect Kerberoasting, AS-REP Roasting, LSASS dumping, DCSync, and NTDS.dit extraction in Splunk.

medium

90 min

1,078

User profile photo.
User profile photo.

To access material, start machines and answer questions login.

In August 2024, The Report documented a BlackSuit ransomware intrusion (opens in new tab) where the attackers used Rubeus to Kerberoast service accounts, AS-REP Roasted an account with preauthentication disabled, and dumped credentials from LSASS memory, all within a single intrusion. In a separate BlackSuit case investigated by ReliaQuest (opens in new tab) that same year, the attackers compromised over 20 accounts through Kerberoasting, including a domain administrator. The techniques they used were not exotic or novel. They are the same credential attacks that show up in incident after incident, and they are detectable if you know what to look for.

This room covers five techniques that bridge the gap between "attacker has a foothold" and "attacker owns the domain."

  • Kerberoasting and AS-REP Roasting abuse to crack passwords offline.
  • LSASS dumping extracts credentials directly from memory.
  • DCSync impersonates a domain controller to pull every password hash in the directory.
  • NTDS.dit extraction copies the database file directly from the domain controller's disk.

These aren't the only ways attackers get credentials (a passwords.xlsx sitting on a network share is still a real attack vector), but they're the five that abuse 's authentication and replication infrastructure directly. Each targets a different part of that infrastructure, requires a different level of privilege, and leaves distinct artifacts in different log sources.

Learning Objectives

  • Detect Kerberoasting through anomalous requests with RC4 encryption
  • Identify AS-REP Roasting by recognizing requests for accounts with preauthentication disabled
  • Detect LSASS credential dumping through suspicious process access patterns
  • Identify DCSync attacks through unauthorized replication requests
  • Detect NTDS.dit extraction through process creation and file write events on domain controllers
  • Correlate credential access artifacts across host and domain controller logs to trace an attacker's escalation path

Prerequisites

  • Active Directory basics: Core  concepts like domains, users, groups, OUs, and how / authentication works (Active Directory Basics room)
  • Windows logging: Windows Event Log structure, Security log channels, and key Event (Windows Logging for room)
  • Active Directory monitoring: authentication flows, / ticket concepts, Event 4768 and 4769 (Monitoring Active Directory room)
  • basics: queries, filtering, stats commands (: Exploring room)

Start the machine by clicking the Start Machine button below. Give the instance about 4-5 minutes to launch, then access it using the link below. Feel free to continue reading the next tasks while it boots:

Note: Each task uses its own index: index=task2 for Task 2, index=task3 for Task 3, and so on. Use the index that matches the task you're working on.

Set up your virtual environment

To successfully complete this room, you'll need to set up your virtual environment. This involves starting the Target Machine, ensuring you're equipped with the necessary tools and access to tackle the challenges ahead.
Target machine
Status:Off
Answer the questions below

I have successfully started my Splunk instance.

Ready to learn Cyber Security?

The Detecting AD Credential Attacks room is only available for premium users. Signup now to access more than 500 free rooms and learn cyber security through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information see our cookie policy.