๐Ÿ›ก๏ธ
ACTIVE DIRECTORY DEFENCE
DETECTION & INCIDENT RESPONSE LAB
HUNT ยท ANALYSE ยท CONTAIN ยท REPORT
Loading Windows Security Event logs...

OBJECTIVES

Triage the initial alert
Detect Kerberoasting (Event 4769)
Detect Pass-the-Hash (Event 4624)
Detect DCSync (Event 4662)
Detect Golden Ticket (Event 4672)
Identify the source workstation
Complete the investigation questions
Submit the IR report
๐Ÿ“‹
Event Log
๐Ÿšจ
Alert Dashboard
๐Ÿ”ฌ
Defender Tools
โ“
Investigation
๐Ÿ“–
Reference
๐Ÿ“
Notepad
๐Ÿ“„
IR Report
AD DEFENCE
Event Log
Alerts
Defender Tools
Investigation
Reference
Notepad
IR Report
--:--:--
PHASE 1 โ€” ALERT TRIAGE
MISSION BRIEF
NETWORK SECURITY โ€” INCIDENT RESPONSE
๐Ÿ”— Peer lab โ€” Penetration Testing path:
Active Directory Attacks

AD DEFENCE & DETECTION

DOMAIN: APEXCORP.LOCAL โ€” SOC ANALYST PERSPECTIVE

SITUATION

Microsoft Defender for Identity has fired an alert on the APEXCORP.LOCAL domain at 09:14 UTC. Windows Security Event logs show anomalous Kerberos and LDAP activity originating from an internal workstation. Your job as a SOC analyst is to investigate, identify the attack chain, and document the incident.

ENVIRONMENT

AssetDetail
DomainAPEXCORP.LOCAL
Domain ControllerDC01 โ€” 10.10.18.10
Affected workstationInvestigate from logs
Alert time2026-05-08 09:14:02 UTC
Your roleSOC Analyst โ€” Tier 2

METHODOLOGY

  • Start with the Alert Dashboard to understand what fired
  • Open the Event Log and hunt the key Event IDs
  • Use Defender Tools to run KQL queries against the log
  • Answer the Investigation questions as you find evidence
  • Document everything in the IR Report

KEY EVENT IDs TO HUNT

Event IDTechnique
4769Kerberos Service Ticket โ€” look for RC4 (0x17)
4624Logon โ€” look for Type 3, NtLmSsp package
4662Object access โ€” DS-Replication-Get-Changes-All
4672Special privileges assigned to new logon
4768Kerberos TGT request โ€” baseline activity
WINDOWS SECURITY EVENT LOG โ€” DC01.APEXCORP.LOCAL
47 events
Level
Event
Time
Message
Source
Select an event to view details
DEFENDER FOR IDENTITY โ€” ALERT DASHBOARD
3
CRITICAL
2
HIGH
4
MEDIUM
8
INFO
DEFENDER TOOLS โ€” KQL / POWERSHELL QUERIES
# Defender for Identity / Microsoft Sentinel KQL Console
# Type "help" for available queries, or run your own
KQL>
INVESTIGATION โ€” GUIDED QUESTIONS
0 / 8
REFERENCE โ€” AD DETECTION
KERBEROASTING
Attacker requests service tickets for SPN accounts. Detection: RC4 encryption (0x17) when AES is available is anomalous.
Event 4769 โ€” TicketEncryptionType: 0x17 (RC4-HMAC) for a service account SPN
SecurityEvent | where EventID == 4769 | where TicketEncryptionType == "0x17" | where ServiceName !endswith "$"
PASS-THE-HASH
Attacker authenticates using an NTLM hash without knowing the password. Detection: NTLM authentication from a workstation to a Domain Controller.
Event 4624 โ€” LogonType: 3, AuthPackage: NtLmSsp from non-DC host to DC
SecurityEvent | where EventID == 4624 | where LogonType == 3 | where AuthenticationPackageName == "NTLM" | where WorkstationName != "" and IpAddress != DCip
DCSYNC
Attacker mimics DC replication to extract all password hashes. Detection: replication rights accessed from a non-DC host.
Event 4662 โ€” DS-Replication-Get-Changes-All accessed by non-DC account
SecurityEvent | where EventID == 4662 | where Properties contains "DS-Replication-Get-Changes-All" | where SubjectUserName !endswith "$"
GOLDEN TICKET
Forged Kerberos TGT using the krbtgt hash. Detection: ticket with anomalous attributes or privileges granted without recent TGT issuance by the DC.
Event 4769 + 4672 โ€” Sensitive account with anomalous ticket, or special privilege without DC-issued TGT
CONTAINMENT ACTIONS
Reset-ADAccountPassword -Identity krbtgt -NewPassword (ConvertTo-SecureString -AsPlainText "NewPass!" -Force) # Must reset TWICE โ€” 24 hours apart # Disable compromised accounts Disable-ADAccount -Identity svc-sql
NOTEPAD โ€” INVESTIGATION NOTES
INCIDENT RESPONSE REPORT
INCIDENT DETAILS
Score: 0 / 8