AS-REP Roasting targets accounts with disabled Kerberos preauthentication to obtain crackable password hashes.
When preauthentication is enabled (the default), users must send an AS-REQ with a timestamp encrypted with their password hash. The DC decrypts this to verify identity before responding with an AS-REP containing the TGT.
With preauthentication disabled, adversaries can send AS-REQ messages without the encrypted timestamp and receive AS-REP messages containing TGT data. Part of this AS-REP is encrypted with the user’s password (potentially using weak algorithms like RC4), making it vulnerable to offline password cracking similar to Kerberoasting.
Any domain account can enumerate accounts with preauthentication disabled using LDAP filters or by sending AS-REQ messages for each user - if the DC responds without errors, that account doesn’t require preauthentication.
Mitigations (from MITRE)
M1047 - Audit: Preauthentication is enabled by default. Ensure all accounts have it enabled whenever possible and audit any changes. Older protocols may require it disabled, but this should be exceptional. Use PowerShell with LDAP queries to identify vulnerable accounts.
M1041 - Encrypt Sensitive Information: Enable AES Kerberos encryption rather than RC4 where possible to make cracking more difficult.
M1027 - Password Policies: Enforce strong password length (ideally 25+ characters) and complexity for service accounts, with periodic expiration. Consider Group Managed Service Accounts or password vaulting solutions.
Detection (DET0113)
Monitor for Event ID 4768 where Pre-Auth Type is 0 (preauthentication disabled). Key indicators include:
AS-REQ/AS-REP patterns without preauthentication
Requests using weak RC4 encryption (etype 0x17)
Correlation with subsequent service ticket activity (Event ID 4769)
Excessive enumeration of accounts with “Do not require Kerberos preauthentication” attribute set in AD
The detection strategy involves identifying unusual patterns of AS-REQ requests and monitoring for changes to the preauthentication setting on accounts.
Related
Related Notes
All Related Notes
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows") OR contains(tags, "active-directory") OR contains(tags, "initial-access")SORT file.ctime DESC
windows
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "windows")SORT file.ctime DESC
active-directory
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "active-directory")SORT file.ctime DESC
initial-access
TABLE file.ctime as "Created", tags as "Tags"FROM "New Notes"WHERE contains(tags, "initial-access")SORT file.ctime DESC