TryHackMe Detecting AD Credential Attacks | Full Walkthrough 2026

🐱 Detect Kerberoasting, AS-REP Roasting, LSASS dumping, DCSync, and NTDS.dit extraction in Splunk.

🔗🔗 Room Link: https://tryhackme.com/room/detectingadcredentialattacks

🎯 This room covers five techniques that bridge the gap between "attacker has a foothold" and "attacker owns the domain."

🍅 Kerberoasting and AS-REP Roasting abuse to crack passwords offline.
🍅 LSASS dumping extracts credentials directly from memory.
🍅 DCSync impersonates a domain controller to pull every password hash in the directory.
🍅 NTDS.dit extraction copies the database file directly from the domain controller's disk.

🎯 Learning Objectives🎯

🍅 Detect Kerberoasting through anomalous TGS requests with RC4 encryption
🍅 Identify AS-REP Roasting by recognizing requests for accounts with preauthentication disabled
🍅 Detect LSASS credential dumping through suspicious process access patterns
🍅 Identify DCSync attacks through unauthorized replication requests
🍅 Detect NTDS.dit extraction through process creation and file write events on domain controllers
🍅 Correlate credential access artifacts across host and domain controller logs to trace an attacker's escalation path
🎯 Timestamp:🎯

[00:00:00] Task 1: Introduction
[00:02:39] Task 2: Detecting Kerberoasting
[00:11:26] Task 3: Detecting AS-REP Roasting
[00:18:26] Task 4: Detecting LSASS Credential Dumping
[00:29:00] Task 5: Detecting DCSync
[00:37:12] Task 6: Detecting NTDS.dit Extraction
[00:45:29] Task 7: Investigation Challenge
[00:54:15] Task 8: Conclusion

🎯 Room Tasks:🎯

🐬 Task 1: Introduction

🐙 Task 2: Detecting Kerberoasting
- How many service accounts were targeted by Kerberoasting?
- What account requested the service tickets? (Answer Format: username only, without @domain)
- What source IP initiated the Kerberoasting?

🫒 Task 3: Detecting AS-REP Roasting
- Which account had preauthentication disabled? (Answer Format: username)

🫑 Task 4: Detecting LSASS Credential Dumping
- What is the full path of the process that accessed lsass.exe?
- What GrantedAccess value was used? (Answer Format: 0xNNNNNN)
- Which DLL in the CallTrace reveals the dump method?

🍇 Task 5: Detecting DCSync
- What account performed the DCSync?
- What is the Logon_ID of the DCSync session? (Answer Format: 0xNNNNNNN)
- What source IP initiated the DCSync?

🐤 Task 6: Detecting NTDS.dit Extraction
- What is the full command line used to extract NTDS.dit? (Answer Format: full command line as shown in Splunk)
- What is the full shadow copy path the attacker copied ntds.dit from? (Answer Format: full path as shown in the CommandLine)
- Where did the attacker stage the files copied from the shadow copy? (Answer Format: directory path)

🐧 Task 7: Investigation Challenge
- Which account was targeted by AS-REP Roasting?
- What account performed the Kerberoasting? (Answer Format: username only, without @domain)
- What process accessed LSASS on the workstation?
- What GrantedAccess value was used for the LSASS dump? (Answer Format: 0xNNNNNN)
- What account performed the DCSync attack?

🦤 Task 8: Conclusion

⚠️ Educational Purpose Only
This content is for educational and authorized penetration testing purposes only. Always ensure you have permission before testing on any systems.

#tryhackme

Видео TryHackMe Detecting AD Credential Attacks | Full Walkthrough 2026 канала Djalil Ayed