{"id":3513,"date":"2017-02-08T08:00:55","date_gmt":"2017-02-08T13:00:55","guid":{"rendered":"https:\/\/adsecurity.org\/?p=3513"},"modified":"2017-02-08T10:04:08","modified_gmt":"2017-02-08T15:04:08","slug":"detecting-kerberoasting-activity-part-2-creating-a-service-account-honeypot","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=3513","title":{"rendered":"Detecting Kerberoasting Activity Part 2 &#8211; Creating a Kerberoast Service Account Honeypot"},"content":{"rendered":"<p>In my previous post, &#8220;<a href=\"https:\/\/adsecurity.org\/?p=3458\">Detecting Kerberoasting Activity<\/a>&#8221;\u00a0 I explain how <a href=\"https:\/\/adsecurity.org\/?p=2293\">Kerberoasting works<\/a> and describe how to <a href=\"https:\/\/adsecurity.org\/?p=3458\">detect potential Kerberoasting activity<\/a>. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert.<\/p>\n<p>This post describes how to filter from millions of events to a single one to detect Kerberoasting activity.<\/p>\n<p><!--more--><\/p>\n<p><strong>Detecting Kerberoasting Activity<\/strong><br \/>\nAs I noted in the <a href=\"https:\/\/adsecurity.org\/?p=3458\">previous post<\/a>, looking for TGS service tickets with RC4 encryption was a good method to discover Kerberoasting activity.<\/p>\n<blockquote><p>Windows added Kerberos AES (128 &amp; 256) encryption starting with Windows Server 2008 and Windows Vista which means that most Kerberos requests will be AES encrypted with any modern Windows OS. Any Kerberos RC4 tickets requested should be the exception. There are systems that only support Kerberos RC4 by default (<a href=\"https:\/\/library.netapp.com\/ecmdocs\/ECMP1610207\/html\/GUID-CF2D1B5A-6CCB-474B-ADA9-CDC9C382FF48.html\">NetApp<\/a>). Inter-forest Kerberos tickets also use RC4 unless <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/dd145414.aspx\">configured for AES<\/a> \u2013 ensure your forest trusts support AES and then enable AES over the trust.<\/p>\n<p>Once all Domain Controllers are configured to log 4769 events, these events need to be filtered before sending the data into a SIEM\/Splunk. Since we are only really interested in Kerberos TGS service tickets with RC4 encryption, it\u2019s possible to filter the events. As shown above, Kerberos events with AES encryption has Ticket Encryption Type set to 0x12.<br \/>\nKerberos RC4 encrypted tickets have Ticket Encryption Type set to 0x17.<\/p>\n<p>These events can be filtered using the following which greatly reduces the amount of events flowing into the SIEM\/Splunk:<\/p>\n<ul>\n<li>Ticket Options: 0x40810000<\/li>\n<li>Ticket Encryption: 0x17<\/li>\n<\/ul>\n<p>With this information, we can start investigating potential Kerberoasting activity and reduce the number of 4769 events.<\/p>\n<p>We can further reduce the number of 4769 events that flow into SIEM\/Splunk:<\/p>\n<ul>\n<li>Filter out requests from service accounts (ads45service@lab.adsecurity.org)<\/li>\n<li>Filter on Audit Success<\/li>\n<li>Filter out requests for service names with a \u201c$\u201d which are typically for computer accounts (or trusts or Managed Service Accounts, all accounts where Windows automatically generates a long, complex password).<\/li>\n<\/ul>\n<p>In limited testing, I\u2019ve seen 4769 event totals reduced from millions to thousands and hundreds using these filtering techniques.<\/p>\n<p><strong>Here\u2019s a 4769 event that may potentially be from Kerberoasting activity:<\/strong><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3510\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-Event-KerberosRC4TGS-Request-UserAccount-02.jpg\" sizes=\"auto, (max-width: 409px) 100vw, 409px\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-Event-KerberosRC4TGS-Request-UserAccount-02.jpg 1155w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-Event-KerberosRC4TGS-Request-UserAccount-02-259x300.jpg 259w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-Event-KerberosRC4TGS-Request-UserAccount-02-768x888.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-Event-KerberosRC4TGS-Request-UserAccount-02-885x1024.jpg 885w\" alt=\"\" width=\"409\" height=\"473\" \/><\/p><\/blockquote>\n<p>Following this line of thought, we can look at TGS ticket requests with specific ticket encryption &amp; ticket options to identify potential Kerberoast activity.<\/p>\n<blockquote><p>Using the information regarding ticket encryption type and ticket options, we can use PowerShell to parse the DC\u2019s event log looking for 4769 events with this info.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3511\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-PowerShell-PotentialKerberoastingEvents-01.jpg\" sizes=\"auto, (max-width: 1156px) 100vw, 1156px\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-PowerShell-PotentialKerberoastingEvents-01.jpg 1156w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-PowerShell-PotentialKerberoastingEvents-01-300x70.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-PowerShell-PotentialKerberoastingEvents-01-768x180.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-PowerShell-PotentialKerberoastingEvents-01-1024x240.jpg 1024w\" alt=\"\" width=\"552\" height=\"129\" \/><\/p>\n<p>That looks really odd. Why would any account request several different service names (Citrix PVS, BizTalk, Business Objects, AGPM GPO management, and several SQL service accounts) within a second or two of each other?<\/p>\n<p>That stands out and looks really suspicious and is very likely Kerberoasting activity. This provides great information on what users could be compromised and what activity on which computers should be scrutinized.<\/p>\n<p>A single user requesting RC4 encrypted TGS tickets for several services, such as lots of SQL service principal names is suspicious and it\u2019s worth investigating the IP (client address)\u00a0 the requests came from. The same thing is true for multiple RC4 encrypted TGS requests over time for lots of service principal names. A pattern does emerge when there\u2019s one or two accounts that request a variety or RC4 TGS tickets.<\/p><\/blockquote>\n<p>Read the entire <a href=\"https:\/\/adsecurity.org\/?p=3458\">post<\/a> for more information on how Kerberoasting works, etc.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Filtering the Noise to Find Malicious Activity<\/strong><br \/>\nI note in that post that 4769 events on Domain Controllers are extremely numerous, some of the most numerous events on a network.<\/p>\n<p><em>But, what if we only cared about 1 event?<br \/>\n<\/em>That would reduce the number of 4769 events down to a single event that only occurs when something malicious is happening?<\/p>\n<p>This post describes how to further narrow down to best detect Kerberoasting activity on a network: Creating a Service Account Honeypot to detect Kerberoasting.<\/p>\n<p>Note: I still recommend <a href=\"https:\/\/adsecurity.org\/?p=3458\">filtering 4769 event IDs on Domain Controllers<\/a> and flowing them into SIEM\/Splunk since this will provide information on resources users are accessing as well as help flag when a single user is requesting multiple service principal names (which is suspicious).<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Creating a Kerberoast Service Account Honeypot<\/strong><\/p>\n<p>In order to create a Kerberoast Service Account Honeypot, we need to create a user account in AD and give it a fake service principal name (SPN). It has to be fake so we know that when it&#8217;s requested, this request is not valid and therefore is malicious. It&#8217;s also important to make this account look attractive by setting the &#8220;AdminCount&#8221; attribute to 1 as this flags the account as <a href=\"https:\/\/adsecurity.org\/?p=1906\">potentially having elevated AD rights<\/a>. Adding this account to a bunch of fake groups made to look like it&#8217;s providing additional elevated rights helps to add to the illusion.<\/p>\n<p>Step 1: Create a new AD user account.<\/p>\n<p>Step 2: Set the &#8220;AdminCount&#8221; attribute to 1.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3514\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-AdminCount1.jpg\" alt=\"\" width=\"396\" height=\"528\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-AdminCount1.jpg 843w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-AdminCount1-225x300.jpg 225w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-AdminCount1-768x1025.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-AdminCount1-767x1024.jpg 767w\" sizes=\"auto, (max-width: 396px) 100vw, 396px\" \/><\/p>\n<p>Step 2: Add a Service Principal Name (SPN) to the account. This SPN needs to be unique, so it should not simply be copied from another system. SQL service accounts are pretty common, so that&#8217;s not a bad one to use (MSSQLSvc\/sql01.lab.adsecurity.org). Just don&#8217;t reuse one that already exists.<br \/>\nThe following example is a bit less&#8230; subtle. \ud83d\ude42<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3517\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-SPN.jpg\" alt=\"\" width=\"396\" height=\"527\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-SPN.jpg 837w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-SPN-225x300.jpg 225w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-SPN-768x1022.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-SPN-769x1024.jpg 769w\" sizes=\"auto, (max-width: 396px) 100vw, 396px\" \/><\/p>\n<p>Step 3: It may also be useful to add the honeypot account to a fake group that looks like it might have admin rights.<\/p>\n<p>Note:<br \/>\nTo make things interesting, you could give this account an easy password that could be guessed, something like &#8220;Password1234&#8221; (or a keyboard combination). This way we can monitor if someone logs on with this account. However, the Kerberos TGS service ticket request is enough to know that Kerberoasting activity is occurring and we know from which computer it&#8217;s being done thanks to the event information (&#8220;Client Address&#8221;).<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Detecting Kerberoast Service Account Honeypot &#8220;Access&#8221;<br \/>\n<\/strong><\/p>\n<p>Once the honeypot account is created with a service principal name that doesn&#8217;t do anything and therefore should <span style=\"text-decoration: underline;\">never<\/span> be requested or used. The reason this service principal name should never be requested is that we made it up and it isn&#8217;t linked to any real application that would be requesting it. There is no reason for anyone to every request a Kerberos TGS service ticket for this since there is no actual associated service running for it. Therefore, if we see that someone requested a Kerberos TGS ticket, they are very likely attempting to Kerberoast this account.<\/p>\n<p>An attacker gains access to the internal network and searches for accounts with service principal names and have admincount set to 1.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3515\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-GetSAsWithAdminCount1.jpg\" alt=\"\" width=\"545\" height=\"89\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-GetSAsWithAdminCount1.jpg 1312w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-GetSAsWithAdminCount1-300x49.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-GetSAsWithAdminCount1-768x126.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Account-GetSAsWithAdminCount1-1024x168.jpg 1024w\" sizes=\"auto, (max-width: 545px) 100vw, 545px\" \/><\/p>\n<p>This shows our new honeypot account to the attacker who is now interested in this account and requests an RC4 encrypted Kerberos TGS ticket for the SPN. A klist shows the attacker got the TGS ticket in memory.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3518\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Klist.jpg\" alt=\"\" width=\"525\" height=\"126\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Klist.jpg 1222w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Klist-300x72.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Klist-768x184.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/01\/Kerberoast-HoneyPot-Klist-1024x246.jpg 1024w\" sizes=\"auto, (max-width: 525px) 100vw, 525px\" \/><\/p>\n<p>By looking for 4769 events on Domain Controllers with the ticket encryption option 0x12 (along with other filters I describe in the <a href=\"https:\/\/adsecurity.org\/?p=3458\">Kerberoast detection post<\/a>), we can see that Joe User requested a Kerberos ticket for a SPN that doesn&#8217;t exist and should never be requested!<br \/>\nThe Account Name shows which account was used and Client Address provides the computer IP from where the attacker requested the honeypot Kerberos service account.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3567\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-EventID4769-ServiceName-ClientAddress.jpg\" alt=\"\" width=\"403\" height=\"266\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-EventID4769-ServiceName-ClientAddress.jpg 1177w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-EventID4769-ServiceName-ClientAddress-300x198.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-EventID4769-ServiceName-ClientAddress-768x507.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-EventID4769-ServiceName-ClientAddress-1024x676.jpg 1024w\" sizes=\"auto, (max-width: 403px) 100vw, 403px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3569\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery2.jpg\" alt=\"\" width=\"738\" height=\"87\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery2.jpg 1375w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery2-300x35.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery2-768x90.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery2-1024x121.jpg 1024w\" sizes=\"auto, (max-width: 738px) 100vw, 738px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>When we use our Kerberoast discovery PowerShell script against the Domain Controller event logs, we find that Joe User has requested a lot of Kerberos service tickets, including the one for our Honeypot (which again should never be requested since it doesn&#8217;t exist).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-3570\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery3.jpg\" alt=\"\" width=\"1400\" height=\"424\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery3.jpg 1400w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery3-300x91.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery3-768x233.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery3-1024x310.jpg 1024w\" sizes=\"auto, (max-width: 1400px) 100vw, 1400px\" \/><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-3572\" src=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery1.jpg\" alt=\"\" width=\"697\" height=\"135\" srcset=\"https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery1.jpg 1333w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery1-300x58.jpg 300w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery1-768x149.jpg 768w, https:\/\/adsecurity.org\/wp-content\/uploads\/2017\/02\/Kerberoast-HoneyPot-Account-Discovery1-1024x198.jpg 1024w\" sizes=\"auto, (max-width: 697px) 100vw, 697px\" \/><\/p>\n<p>Using a service account honeypot, this changes this detection from &#8220;potential&#8221; Kerberoasting activity, to definite Kerberoasting activity.<\/p>\n<p>Note that we can also configure an IDS rule that looks at TGS-REQ packets with the service name &#8220;KerberoastHoneyPot&#8221; (again, or something more boring and subtle).<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Conclusion<\/strong><\/p>\n<p>Kerberoasting requires requesting Kerberos TGS service tickets with RC4 encryption which shouldn&#8217;t be regular activity on a network. Logging 4769 events on Domain Controllers, filtering these events by ticket encryption type (0x17), known service accounts (Account Name field) &amp; computers (Service Name field) greatly reduces the number of events forwarded to the central logging and alerting system. Gathering and monitoring this data also creates a good baseline of what&#8217;s &#8220;normal&#8221; in order to more easily detect anomalous activity.<\/p>\n<p>Detecting Kerberoasting activity is possible by logging the correct activity on Domain Controllers. Determining if this activity is malicious is not requires in-depth knowledge of how RC4 TGS tickets are used in the environment. Creating a service account honeypot with a SPN that doesn&#8217;t do anything, provides another data point. Any Kerberos ticket request involving the honeypot service account should be seen as malicious.<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Kerberoasting References<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/adsecurity.org\/?p=3458\">Detecting Kerberoasting Activity<\/a> (part 1)<\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2293\">Cracking Kerberos TGS Tickets Using Kerberoast \u2013 Exploiting Kerberos to Compromise the Active Directory Domain <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=2362\">Attack Methods for Gaining Domain Admin Rights in Active Directory <\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?p=3466\">Sneaky Persistence Active Directory Trick #18: Dropping SPNs on Admin Accounts for Later Kerberoasting<\/a><\/li>\n<li><a href=\"http:\/\/www.harmj0y.net\/blog\/activedirectory\/targeted-kerberoasting\/\">Targeted Kerberoasting (Harmj0y)<\/a><\/li>\n<li><a href=\"http:\/\/www.harmj0y.net\/blog\/powershell\/kerberoasting-without-mimikatz\/\">Kerberoasting without Mimikatz (Harmj0y)<\/a><\/li>\n<li><a href=\"http:\/\/www.harmj0y.net\/blog\/activedirectory\/roasting-as-reps\/\">Roasting AS REPs (Harmj0y)<\/a><\/li>\n<li><a href=\"https:\/\/adsecurity.org\/?page_id=1352\">Sean Metcalf\u2019s Presentations on Active Directory Security<\/a><\/li>\n<li><a href=\"https:\/\/github.com\/nidem\/kerberoast\">Kerberoast (GitHub)<\/a><\/li>\n<li>Tim Medin\u2019s DerbyCon \u201cAttacking Microsoft Kerberos Kicking the Guard Dog of Hades\u201d presentation in 2014 (<a href=\"https:\/\/files.sans.org\/summit\/hackfest2014\/PDFs\/Kicking%20the%20Guard%20Dog%20of%20Hades%20-%20Attacking%20Microsoft%20Kerberos%20%20-%20Tim%20Medin%281%29.pdf\">slides<\/a> &amp; <a href=\"https:\/\/www.youtube.com\/watch?v=PUyhlN-E5MU&amp;feature=youtu.be\">video<\/a>).<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In my previous post, &#8220;Detecting Kerberoasting Activity&#8221;\u00a0 I explain how Kerberoasting works and describe how to detect potential Kerberoasting activity. The trick to this is understanding what activity is normal in order to filter out the noise and increase the fidelity of the alert. This post describes how to filter from millions of events to &hellip; <\/p>\n<p><a class=\"more-link btn\" href=\"https:\/\/adsecurity.org\/?p=3513\">Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":3572,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,11,2],"tags":[1132,1135,1125,1133,1134,1153,1126,1131,1129,1128,1127,1130,708,1154,571,570],"class_list":["post-3513","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-activedirectorysecurity","category-microsoft-security","category-technical-reference","tag-ap-req","tag-audit-kerberos-service-ticket-operations","tag-detect-kerberoast-activity","tag-detecting-kerberoast-activity","tag-event-id-4769","tag-kerberoast-honeypot","tag-kerberoasting-activity","tag-kerberos-rc4-encryption","tag-kerberos-service-ticket","tag-kerberos-tgs","tag-kerberos-tgs-ticket","tag-ntlm-password","tag-rc4_hmac_md5","tag-service-account-honeypot","tag-tgs-rep","tag-tgs-req","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/3513","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3513"}],"version-history":[{"count":12,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/3513\/revisions"}],"predecessor-version":[{"id":3579,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/3513\/revisions\/3579"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/media\/3572"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3513"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3513"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3513"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}