Kerberoasting: Service Ticket to Domain Admin

During the analysis of the incident occurring at 2025-01-11T21:12:00Z, the attacker executed a series of commands aimed at harvesting sensitive information from the system. You need to examine the XDR detection metadata to determine which high-level attack phase this activity falls under according to the MITRE framework.

After an initial breach, the adversary attempted to maintain long-term access by targeting the Kerberos Ticket Granting Service. You need to analyze the security events in the XDR panel to determine the exact sub-technique used to forge authentication tickets.

The security console flagged an unusual sequence of API calls occurring at 2025-01-12T04:15:33Z. You must investigate the XDR panel to determine which specific MITRE technique was mapped to this behavior, as it indicates the attacker is targeting specific geographical configurations.

Our monitoring system flagged an unusual network event originating from an internal host. You need to investigate the telemetry data to determine which remote destination the system attempted to communicate with during the final stages of the recorded activity.

The initial alert indicates that an attacker may have attempted to manipulate the environment to maintain access. Review the telemetry around 04:15:33Z to determine which specific sub-technique or technique was mapped to this activity by the detection engine.

An alert was triggered indicating that an adversary attempted to bypass security controls on a workstation. You need to analyze the alert details in the XDR panel to determine which high-level MITRE tactic describes the phase of the attack where the threat actor tries to avoid detection.

An alert was triggered indicating that an adversary may have compromised the Key Distribution Center (KDC) service account. Review the XDR panel to determine the exact name of the technique used to maintain long-term persistence within the domain.

Evidence suggests that after initial access on 2025-01-10T10:29:50.927Z, the attacker attempted to communicate with a specific internal domain. Locate the endpoint entry in the XDR event logs to identify which domain was being targeted during this phase of the attack.