TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

PerfMon! What Is It Good For? | Huntress

2025-01-23 · Read original ↗

ATT&CK techniques detected

11 predictions
T1558.003Kerberoasting
86%
“i highly recommend one of my favorite posts : " kerberosity killed the domain : an offensive kerberos overview " by ryan hausknecht. it does an excellent job of explaining the concepts and demonstrating both kerberoasting and as - rep roasting. kerberoasting using the default act…”
T1087.002Domain Account
81%
“, but they may be gaining more traction with the release of maldaptive. charlie clark ’ s - obfuscate function in his fork of powerview has been around since 2021. using this function, we can send obfuscated ldap queries to our domain controller and see the results in perfmon : i…”
T1558.004AS-REP Roasting
80%
“trace and alternatively conduct an as - rep roasting attack with rubeus, we can get “ similar ” contextual results : this also provides significant insight into the attack : the attacker touched our accounts, thanos and warmachine, which are configured not to require pre - authen…”
T1558Steal or Forge Kerberos Tickets
74%
“perfmon! what is it good for? | huntress in his hit song " war, " motown singer edwin starr asked a poignant question : " war, huh, yeah, what is it good for? " well, from a purple teamer ’ s perspective, the same can be asked of performance monitor ( perfmon ), and the answer wi…”
T1558.003Kerberoasting
69%
“! background according to microsoft, the performance monitor tool is : primarily for viewing real - time statistics. by default only one counter is selected ; the % processor time counter. however you can add additional counters by clicking on the green plus sign. this will allow…”
T1558.003Kerberoasting
54%
“trace and alternatively conduct an as - rep roasting attack with rubeus, we can get “ similar ” contextual results : this also provides significant insight into the attack : the attacker touched our accounts, thanos and warmachine, which are configured not to require pre - authen…”
T1558.004AS-REP Roasting
51%
“! background according to microsoft, the performance monitor tool is : primarily for viewing real - time statistics. by default only one counter is selected ; the % processor time counter. however you can add additional counters by clicking on the green plus sign. this will allow…”
T1558Steal or Forge Kerberos Tickets
45%
“t give it much thought, as i was focused on golden tickets rather than the broader scope of kerberos attacks. however, when re - examining kerberos performance counters for this post, mark ’ s 2018 blog came to mind and prompted me to revisit its ideas. this reminded me of the va…”
T1558.004AS-REP Roasting
36%
“i highly recommend one of my favorite posts : " kerberosity killed the domain : an offensive kerberos overview " by ryan hausknecht. it does an excellent job of explaining the concepts and demonstrating both kerberoasting and as - rep roasting. kerberoasting using the default act…”
T1558Steal or Forge Kerberos Tickets
34%
“! background according to microsoft, the performance monitor tool is : primarily for viewing real - time statistics. by default only one counter is selected ; the % processor time counter. however you can add additional counters by clicking on the green plus sign. this will allow…”
T1550.003Pass the Ticket
33%
“t give it much thought, as i was focused on golden tickets rather than the broader scope of kerberos attacks. however, when re - examining kerberos performance counters for this post, mark ’ s 2018 blog came to mind and prompted me to revisit its ideas. this reminded me of the va…”

Summary

Explore how Performance Monitor (PerfMon) counters can be used as alternative methods for detecting Kerberos roasting attacks, moving beyond the traditional reliance on Windows Events 4768/4769.