200-endpoint manufacturer · AD Kerberoast + Cobalt Strike · eradication before the DA hash was cracked
At a 200-endpoint manufacturer a SOC analyst noticed anomalous Kerberos TGS requests: 280 TGS-REQs for SPNs in 12 minutes. BloodHound showed the first attempt 3 weeks earlier. With a rapid krbtgt double-rotation + full eradication DSET kicked out the attacker before the DA hash was cracked, ensuring 24 months of clean operation.
01 The Challenge
The SOC analyst saw a flood of 280 TGS-REQs in 12 minutes in Splunk. Source an HR assistant PC; BloodHound detected the attempt 3 weeks earlier (not closed). The attacker was trying to crack the DA hash, 4 hops from the DA path. A Cobalt Strike beacon was detected on JANE.DOE's PC, with lateral spread on 3 hosts. Initial access was a phishing zip → HTA dropper 6 weeks earlier.
02 DSET's Approach
T+0 · Rapid DA rotation
All DA accounts + krbtgt double-rotated (10 minutes apart, against Kerberos cache spoofing). All hashes in the attacker's hands turned to garbage.
T+24h · Forensics + IA
JANE.DOE PC forensics: 6 weeks earlier an "invoice.zip" phishing → HTA dropper. Memory: a Cobalt Strike beacon, lateral spread started on 3 hosts.
T+1 week · Broad eradication
DSET installed EDR (CrowdStrike Falcon) on 47 hosts. Clean install of 3 hosts. krbtgt 3rd rotation (24 hours later). The attacker was completely kicked out.