Kerberoast

Q1: Analyzing Domain Controller Security Logs Can you confirm the date and time when the Kerberoasting activity occurred? Open Event Viewer on the Windows VM and search for Event ID 4769. 🕒 Remember to convert your local time to UTC. Q2: Targeted Service Name What is the Service Name that was targeted? Check the “Service Information” section of the same event: Q3: Workstation Identification Identify the Workstation IP Address from which the activity originated. ...

Q1: When did the AS-REP Roasting attack occur, and when did the attacker request the Kerberos ticket for the vulnerable user? Open Event Viewer on the Windows VM and search for Event ID 4768. Look for anomalies in the logs — specifically events where: Pre-Authentication Type: 0 This indicates that the account does not require Kerberos pre-authentication, making it vulnerable to AS-REP Roasting. 🕒 Remember to convert the timestamp to UTC when documenting your findings. ...