I instrumented a lab Active Directory forest with Sysmon and Splunk, then hunted the most common identity attacks using BloodHound attack-path analysis. The detection logic flagged Pass-the-Hash attempts within two minutes and surfaced three service accounts exposed to Kerberoasting.

Threat Model & MITRE ATT&CK Mapping

Active Directory is the identity backbone, which makes credential and ticket abuse the highest-impact post-compromise activity. Each hunt hypothesis maps to a specific ATT&CK sub-technique and a corresponding Sysmon/Splunk detection.

  • T1558.003 Kerberoasting – TGS-REP requests for SPN-bearing service accounts.
  • T1558.004 AS-REP Roasting – accounts without Kerberos pre-auth.
  • T1550.002 Pass-the-Hash – NTLM logons with anomalous logon type 9.
  • T1098 Account Manipulation – Golden Ticket persistence via forged TGTs.

Environment & Prerequisites

  • Windows Server 2022 domain controller; 2 domain-joined Windows 11 workstations.
  • Sysmon with the SwiftOnSecurity configuration shipping to Splunk.
  • BloodHound + SharpHound collector; PowerShell detection scripts.
  • Honeypot service account with a fake SPN to detect Kerberoasting.

Step-by-Step Execution

1. Collect attack paths with SharpHound

.\SharpHound.exe -c All --zipfilename lab-collection

2. Splunk detection for Kerberoasting (event 4769, RC4)

index=wineventlog EventCode=4769 Ticket_Encryption_Type=0x17 | stats count by Account_Name, Service_Name
Account_Name   Service_Name        count
svc_sql        MSSQLSvc/db01:1433  14
svc_backup     CIFS/fs01           9

3. Pass-the-Hash detection (logon type 9, seclogo)

index=wineventlog EventCode=4624 Logon_Type=9 Logon_Process=seclogo | table _time, Account_Name, Workstation

Validation & Testing

Run authorized Rubeus/Mimikatz simulations in the isolated lab to generate Kerberoasting and PtH telemetry, then confirm the Splunk searches and honeypot SPN both fire. Pass criteria: PtH detected within 2 minutes and the honeypot account triggers on first TGS request (alt text: Splunk alert timeline correlating simulated attack with detection).

Advanced: Troubleshooting
  • No 4769 events: enable Kerberos service-ticket auditing via Group Policy.
  • Sysmon gaps: confirm the SwiftOnSecurity config is applied with sysmon -c.
  • BloodHound empty: verify SharpHound ran with domain context and LDAP reachability.

Key Results

  • Identified 3 service accounts vulnerable to Kerberoasting via SPN + RC4 analysis.
  • Detected Pass-the-Hash attempts within 2 minutes of execution.
  • Mapped 15+ lateral-movement paths to Domain Admin using BloodHound.
  • Deployed 1 honeypot SPN account providing high-fidelity early warning with near-zero false positives.