Splunk Alert Details
Alert ID: SPLUNK-ASREP-ROAST-1558-7842 Alert Time: 2024-03-11 11:30:22 EST Severity: HIGH (85/100) Source: Splunk Enterprise Security + AD Logs Rule: “AS-REP Roasting Attack Detected” MITRE ATT&CK: T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting
Alert Details:
Correlated Events:
Windows Event ID 4768 (Kerberos Authentication Ticket Request):
Time: 11:15-11:30 EST
Source Host: 192.168.45.78 (Unknown host on Guest WiFi)
Target Users: Multiple users with “Do not require Kerberos preauthentication” enabled
Request Type: AS-REQ (no preauthentication)
Users Targeted:
svc_backup (service account) – preauth disabled
svc_monitoring (service account) – preauth disabled
user_nopreauth (legacy user) – preauth disabled
(12 total accounts)
Event Details (sample):
Event ID: 4768
Account Name: svc_backup
Account Domain: COMPANY
Logon GUID: {12345678-1234-1234-1234-123456789012}
Pre-Authentication Type: 0 (none)
Failure Code: 0x0 (success)
IP Address: 192.168.47.89
Detection Logic:
Multiple AS-REQ requests without preauthentication
Targeting accounts with “Do not require preauth” flag
Source IP unknown (Guest WiFi)
Pattern matches AS-REP Roasting attack
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Splunk correlation
Splunk ES
Confirmed AS-REP Roasting activity
2. Source Investigation
Identify source IP
DHCP Logs, Cisco ISE
Guest WiFi IP assigned to unknown device
3. Physical Security
Locate device
WiFi Controller, Security
Device in lobby; user unknown
4. Immediate Action
Block source IP/MAC
Cisco ISE, Firewall
Guest device blocked
5. Account Remediation
Disable preauth flag for affected accounts
AD
Preauth requirement enabled for all accounts
6. Password Rotation
Rotate passwords for affected accounts
AD
12 account passwords rotated
Jira Incident Report
Ticket: SOC-2024-203 Summary: T1558.004 – AS-REP Roasting Attack Targeting Accounts with Preauth Disabled Status: RESOLVED Resolution: MALICIOUS – Tickets Obtained, Preauth Enabled, Passwords Rotated Priority: P2 – MEDIUM Labels: T1558, as-rep-roasting, kerberos, splunk, guest-wifi Components: Identity-Management, Network-Security
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Splunk Enterprise Security (AD logs).
Alert: “AS-REP Roasting Attack Detected”.
Source IP: 192.168.47.89 (Guest WiFi).
Targets: 12 accounts with preauthentication disabled.
Time: 2024-03-11 11:30 EST.
Technique: MITRE ATT&CK T1558.004 – Steal or Forge Kerberos Tickets: AS-REP Roasting.
2. Technical Analysis:
Attack Chain:
11:00 – Unknown individual enters lobby, connects to Guest WiFi
11:10 – Attacker enumerates AD for accounts with preauth disabled
11:15-11:30 – AS-REP Roasting attack (12 accounts)
11:30 – Splunk detects
AS-REP Roasting Technique:
Target: Accounts with “Do not require Kerberos preauthentication” enabled
Method: Send AS-REQ without preauthentication, receive encrypted AS-REP
Offline cracking: Attacker cracks the encryption to recover password
Accounts Targeted (12):
svc_backup (service account) – weak password
svc_monitoring (service account) – moderate password
user_nopreauth (legacy user) – weak password
(9 others) – various
Attacker Success:
Obtained encrypted AS-REP for all 12 accounts
Could crack weak passwords offline
3. Investigation Findings:
Timeline:
11:00 – Attacker connects to Guest WiFi
11:10 – Account enumeration
11:15-11:30 – AS-REP Roasting
11:30 – Alert
11:32 – SOC investigates
11:33 – Source IP blocked
11:35 – Preauth enabled for all affected accounts
Indicators of Compromise (IoCs):
Network:
– Source IP: 192.168.47.89 (Guest WiFi)
– MAC: 00:1A:2B:3C:4D:5E (unknown)
Accounts:
– 12 accounts with preauth disabled (list attached)
4. Containment Actions:
Immediate Actions:
Blocked source IP and MAC at network level.
Enabled preauthentication requirement for all 12 accounts.
Rotated passwords for all 12 accounts.
Physical Security:
Increased monitoring of lobby area.
Guest WiFi network isolated from internal network.
Enterprise-wide Actions:
Audited all AD accounts for preauth disabled flag.
Found 3 additional accounts; corrected.
5. Root Cause Analysis:
Primary Cause: Accounts had “Do not require Kerberos preauthentication” enabled (legacy settings).
Contributing Factors:
Guest WiFi accessible from lobby.
No network segmentation for Guest WiFi.
6. Business Impact:
Operational Impact: None.
Data Exposure: 12 encrypted tickets obtained; passwords rotated.
7. Remediation & Prevention:
Completed Actions:
Preauth enabled.
Passwords rotated.
Attacker blocked.
Technical Controls Enhanced:
Audited and removed all accounts with preauth disabled.
Implemented network segmentation for Guest WiFi.
Enhanced monitoring for AS-REQ without preauth.
8. Conclusion:
An attacker on Guest WiFi performed AS-REP Roasting against 12 accounts with preauthentication disabled, obtaining encrypted tickets. Splunk detected the anomalous AS-REQ patterns, enabling rapid remediation and password rotation.
Closure Rationale: Tickets obtained but invalidated; preauth enabled; passwords rotated; attacker blocked.
Analyst: [Your Name], SOC Analyst Date: 2024-03-11 12:30 EST