HackTheBox Sherlock - Campfire-1 (DFIR)

Scenario

Campfire-1 is an Easy HackTheBox Sherlock (defensive / DFIR challenge). The Forela SOC suspects a Kerberoasting attack. You are given the Domain Controller’s security log plus a triage package from the suspected workstation, and must confirm the attack and attribute it.

“Alonzo, the SOC manager, has reason to believe that an attacker has gained access to the network and performed a Kerberoasting attack. You are provided with the Domain Controller security logs and a triage of the endpoint (PowerShell logs + Prefetch). Confirm the activity, identify the targeted service, the attacker workstation, and the tools used.”

Field	Value
Platform	HackTheBox — Sherlock
Category	DFIR / Active Directory log analysis
Difficulty	Easy
Artifacts	Security.evtx (DC) + endpoint triage (PowerShell logs, Prefetch)
Skills	Event ID 4769 triage, Kerberoasting detection, PowerShell ScriptBlock logs, Prefetch

Artifacts

• Security.evtx — the Domain Controller security event log (holds the Kerberos 4769 TGS requests).
• Endpoint triage of the attacker workstation:
  • PowerShell Operational log (Microsoft-Windows-PowerShell/Operational, ScriptBlock events 4104).
  • Prefetch (C:\Windows\Prefetch\*.pf) — proof of which executables ran and when.

The whole case is a correlation exercise: the DC tells you what (a roasted SPN) and from where (an IP); the endpoint tells you how (PowerView + Rubeus) and when.

Toolkit

• EvtxECmd (Eric Zimmerman) → CSV → Timeline Explorer for Security.evtx and the PowerShell log
• PECmd (Eric Zimmerman) — parse Prefetch (last-run timestamps)
• Windows Event Viewer (native) as a fallback with XPath filters

# Security log + PowerShell Operational log -> CSV for Timeline Explorer
EvtxECmd.exe -f Security.evtx --csv . --csvf security.csv
# Prefetch -> last run times
PECmd.exe -d C:\triage\Prefetch --csv . --csvf prefetch.csv

Analysis — Kerberoasting is noisy in exactly one place by design: the Domain Controller logs an Event ID 4769 (Kerberos service-ticket request) for every TGS issued. Pulling that log to a timeline first lets you spot the single anomalous request among the normal ones, then pivot to the endpoint to explain it.

Background: Kerberoasting detection signals

Signal	What it is	Why it matters here
Event ID 4769	Kerberos service ticket (TGS-REP) requested	one per roast — the core DC-side signal
TicketEncryptionType 0x17	RC4-HMAC	attackers force RC4 because it cracks far faster than AES
ServiceName ≠ krbtgt and not ending in $	a user SPN account (not a computer/DC01$)	user-SPN accounts are the roastable targets
Status 0x0	request succeeded	the TGS was actually issued (crackable hash obtained)
PowerShell 4104	ScriptBlock logging	catches PowerView.ps1 enumerating SPNs
Prefetch	last-run + run count of EXEs	proves/times Rubeus.exe execution

Investigation

Q1. Analyzing the Domain Controller security logs, what is the UTC date & time the Kerberoasting activity occurred?

Filter Security.evtx on Event ID 4769, then keep only events where TicketEncryptionType = 0x17 (RC4), ServiceName is not krbtgt and does not end in $, and Status = 0x0. Exactly one event matches:

"EventData": {
  "TargetUserName": "alonzo.spire@FORELA.LOCAL",
  "ServiceName": "MSSQLService",
  "TicketOptions": "0x40800000",
  "TicketEncryptionType": "0x17",
  "IpAddress": "::ffff:172.17.79.129",
  "Status": "0x0"
}

Answer

2024-05-21 03:18:09

Analysis — On a healthy DC, almost every 4769 uses AES (0x12) and targets computer accounts (…$). A single RC4 (0x17) request for a user SPN with Status 0x0 is the Kerberoasting fingerprint — the attacker pulled a crackable TGS hash for that account. (MITRE ATT&CK T1558.003 — Kerberoasting.)

Q2. What is the Service Name that was targeted?

Read ServiceName from the matching 4769 event.

Answer

MSSQLService

Analysis — The SPN identifies which service account’s hash was stolen. A service principal tied to a user account (here MSSQLService) is roastable; its password now faces offline cracking, so it is the account to reset and investigate first.

Q3. What is the IP address of the workstation this activity came from?

Read the IpAddress field of the same event (strip the IPv6-mapped prefix ::ffff:).

Answer

172.17.79.129

Analysis — The DC records the source IP of every ticket request. Pivoting from “a roast happened” to “it came from 172.17.79.129” is what lets you go to the right endpoint’s triage and reconstruct the how.

Q4. What is the name of the file used to enumerate Active Directory and find Kerberoastable accounts?

Move to the workstation’s PowerShell Operational log and review ScriptBlock events (4104). The AD-enumeration tooling stands out.

Answer

powerview.ps1

Analysis — PowerView.ps1 is the de-facto AD recon toolkit; Get-DomainUser -SPN lists roastable accounts. ScriptBlock logging (EID 4104) records the script body, so even a fileless/in-memory run leaves the source behind. (MITRE ATT&CK T1087.002 — Account Discovery: Domain Account.)

Q5. When was this script executed? (UTC)

Read the timestamp of the PowerView 4104 ScriptBlock event.

Answer

2024-05-21 03:16:32

Analysis — Note the order: enumeration (03:16:32) happens before the roast (03:18:09). That ~2-minute gap is the attacker finding a roastable SPN, then requesting its ticket — a tidy, attributable mini-timeline.

Q6. What is the full path of the tool used to perform the actual Kerberoasting attack?

Parse the Prefetch with PECmd and look for the roasting tool; the prefetch entry records the source path.

Answer

C:\Users\Alonzo.spire\Downloads\Rubeus.exe

Analysis — Rubeus (Rubeus.exe kerberoast) performs the actual TGS request and hash extraction. Prefetch records the binary’s path and run history, so it both names the tool and proves it executed on this host. Running from \Downloads\ is itself a weak-signal IOC. (MITRE ATT&CK T1558.003.)

Q7. When was the tool executed to dump credentials? (UTC)

Read the last-run time of RUBEUS.EXE-*.pf from the Prefetch.

Answer

2024-05-21 03:18:08

Analysis — The Prefetch run time (03:18:08) sits one second before the DC’s 4769 (03:18:09) — endpoint and DC corroborate each other to the second, nailing the causal chain Rubeus → TGS request.

Attack Timeline

Time (UTC)	Stage	Evidence
2024-05-21 03:16:32	Discovery	PowerView.ps1 enumerates AD / roastable SPNs — PowerShell EID 4104
2024-05-21 03:18:08	Execution	C:\Users\Alonzo.spire\Downloads\Rubeus.exe runs — Prefetch last-run
2024-05-21 03:18:09	Credential Access	DC issues TGS for MSSQLService, RC4 0x17, from 172.17.79.129 — EID 4769

flowchart TB

    subgraph EVID["Evidence"]
        direction LR
        V1["① Security EID 4769 — MSSQLService / RC4 0x17 / Status 0x0"]
        V2["② PowerShell EID 4104 — PowerView.ps1"]
        V3["③ Prefetch — Rubeus.exe"]
    end

    subgraph IOCS["IOCs"]
        direction LR
        O1["Roasted SPN: MSSQLService (alonzo.spire)"]
        O2["Attacker workstation: 172.17.79.129"]
        O3["C:\\Users\\Alonzo.spire\\Downloads\\Rubeus.exe + PowerView.ps1"]
    end

    subgraph ATTACK["MITRE ATT&CK"]
        direction LR
        T1["T1087.002 Account Discovery"]
        T2["T1558.003 Kerberoasting"]
        T3["T1059.001 PowerShell"]
    end

    V1 ==> O1
    V1 ==> O2
    V2 ==> O3
    V3 ==> O3
    V2 -.-> T1
    V3 -.-> T2
    V1 -.-> T2
    V2 -.-> T3

Detection & Hardening (Blue Team)

What would have caught this earlier:

• Alert on Event ID 4769 with TicketEncryptionType 0x17 (RC4) for non-machine SPNs — extremely high-signal Kerberoasting detection.
• Disable RC4 for Kerberos and set service accounts to AES-only, so a roast yields a far harder hash (or fails).
• Use gMSA / long random passwords for service accounts — gMSAs are not practically crackable.
• Enable PowerShell ScriptBlock logging (EID 4104) and module logging to catch PowerView/SPN enumeration.
• Monitor process execution / Prefetch for Rubeus, Mimikatz, and execution from \Downloads\.
• Deploy honeypot SPN accounts — any 4769 against them is a guaranteed alert.

Key Takeaways

• The Kerberoasting fingerprint on a DC is EID 4769 + RC4 (0x17) + a user SPN (not …$) + Status 0x0.
• Correlating the DC log with endpoint PowerShell (4104) and Prefetch attributes the attacker workstation, the recon tool (PowerView), and the roasting tool (Rubeus) — to the second.
• Defenders win by removing RC4, using gMSAs, and logging PowerShell + process execution.

References

• HackTheBox Sherlock: Campfire-1 — https://app.hackthebox.com/sherlocks
• Microsoft — 4769(S, F): A Kerberos service ticket was requested — https://learn.microsoft.com/windows/security/threat-protection/auditing/event-4769
• Eric Zimmerman’s Tools (EvtxECmd / PECmd / Timeline Explorer) — https://ericzimmerman.github.io/
• Rubeus — https://github.com/GhostPack/Rubeus ; PowerView — https://github.com/PowerShellMafia/PowerSploit
• MITRE ATT&CK: T1558.003 (Kerberoasting), T1087.002 (Account Discovery), T1059.001 (PowerShell)