Daan PerryDirectory DFIR lab incident report
Daan Perry - 2025-07-22
Looking for the walkthrough of this lab? Go to Walkthrough.
Note
Because this incident report covers a TryHackMe lab some information may be redacted/altered to not give away any answers.
Because this incident report covers a TryHackMe lab some information may be redacted/altered to not give away any answers.
Incident Summary
Incident Title: AS-REP Roasting Attack with WinRM Lateral Movement
Incident Date: January 25th, 2024
Reported By: Daan Perry - Incident Responder
Initial Detection Date: January 26th, 2024
Severity Level:
High
Status:
Resolved
Systems Affected:
10.0.2.75
Incident Overview
On the morning of January 26 2025, a suspicious note was detected on the Desktop 10.0.2.75 indicating a potential The initial comprise is believed to be caused by Authentication Server Response (AS-REP) Roasting (T1558.004) on an account that has pre-authentication disabled. This allowed the unauthorized user to send a AS-REQ and receive an AS-REP response part of which is signed by the users's password. This data was brute-forced offline to extract the account password. The unauthorized user used the gained credentials to authenticate first via Web Services-Management (WS-Management) and later via Windows Remote Management (WinRM).
After gaining access, the unauthorized user executed a series of PowerShell commands to extract sensitive Windows Registry hives (
HKLM\REG1
, HKLM\REG2
and HKLM\REG3)
and exfiltrated them in base64-encoded chunks (T1021.006).Lastly the unauthorized user left a note on the desktop of the compromised host.
Indicators of Compromise
TGT Request detected
Multiple TGT requests were sent for multiple accounts
Multiple TGT requests were sent for multiple accounts
WSMan / WinRM
WSMan and WinRM received a significant number of POST requests
WSMan and WinRM received a significant number of POST requests
Notable File Created
The unauthorized user created a text file on the Desktop
The unauthorized user created a text file on the Desktop
Root Cause Analysis
A misconfigured Kerberos account allowed the unauthorized entity to access Music Company's internal network.
The primary catalysts for the incident were traced back to one significant vulnerability. This vulnerability stemmed from the misconfiguration of a user account by disabling the "pre-authentication" settings in Kerberos. Additionally an unusual number of open ports were discovered on the host, which may indicate a misconfiguration of the host.
Technical Timeline
Initial Compromise
January 25th, 2024, 21:41:50
: Unauthorized entity starts a port scan and find several ports open. The unauthorized entity initially attempts attacks on a web application and several other ports. Until at 21:43:52
the unauthorized entity manages to compromise an account through Kerberos.First lateral move
January 25th, 2024, 21:45:17
: Unauthorized entity authorizes and connects with the host using the WS-Management protocol and requests the hostname.Second lateral move
January 25th, 2024, 21:45:50
: Unauthorized entity disconnects from the earlier session, and reconnects to the host using the WinRM protocol after which the unauthorized entity starts sending multiple commands.Data Access & Exfiltration
January 25th, 2024, 09:46:05PM
: Unauthorized entity begin collection and exfiltration of data using Base64-encoded chunks. By January 25th, 2024, 09:47:12PM
the unauthorized entity has finished their activities, writes a note on the desktop of the host and disconnects after which no more activity is detected.Containment and Recovery
January 26th, 2024, 08:12:00AM
: The note is discovered and Acme Security Crop. is contacted and recommends removing the host from the network to prevent the potential spread of ransomware while team is en route.January 26th, 2024, 08:56:10AM
: Incident responders arrive on location and start their investigation.January 26th, 2024, 09:35:36AM
: System is determined to be free from any malware and no persistence mechanisms are found. Kerberos account settings were updated, passwords changed and ports closed. Temporarily disabled WinRM and WS-Management as client indicated these protocols were not actively used.Commands executed by the unauthorized user
1. Reconnaissance:
whoami /all
2. Registry Hive Extraction
reg save HKLM\REG1 C:\REG1
reg save HKLM\REG2 C:\REG2
reg save HKLM\REG3 C:\REG3
3. Exfiltration via PowerShell
Base64 chunks from the Registry Extraction were exfiltrated in 1MB slices using:
Base64 chunks from the Registry Extraction were exfiltrated in 1MB slices using:
System.IO.File::OpenRead
4. TTP: Anti-error handling throughout using:
if (!$?) { if($LASTEXITCODE) { exit $LASTEXITCODE } else { exit 1 } }
5. Final action:
Created a
Created a
note.txt
with the content THM{redacted}
Recommendations
- - Enforce strong passwords on all accounts
- - Keep Kerberos pre-authentication enabled for all accounts
- - Restrict WinRM access to authorized IPs only
- - Deployed enhanced logging and IPS/IDS systems
- - Rotate service account credentials regularly
Report Perpared By
Name: Daan Perry
Position: Incident Responder
Date: January 26th, 2024