T1558.004

AS-REP Roasting

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by password cracking Kerberos AS-REP messages. When preauthentication is disabled on an account (userAccountControl flag DONT_REQ_PREAUTH), an attacker can send an AS-REQ message without an encrypted timestamp and receive an AS-REP response containing a TGT encrypted with the target account's password hash. This encrypted blob can be taken offline and cracked with tools like Hashcat or John the Ripper. The attack is commonly executed with Rubeus (asreproast module) or Impacket's GetNPUsers.py. Unlike Kerberoasting, AS-REP Roasting does not require a valid domain account to initiate — an unauthenticated attacker can send AS-REQ messages directly to the KDC. Successfully cracked credentials enable persistence, privilege escalation, and lateral movement via valid account access.

Microsoft Sentinel / Defender

kusto

// Detection 1: AS-REP Roasting via Event ID 4768 — No Preauthentication Required
SecurityEvent
| where TimeGenerated > ago(1h)
| where EventID == 4768
| extend EventXml = parse_xml(EventData)
| extend TargetUserName = tostring(EventXml.EventData.Data[0]["#text"])
| extend TargetDomainName = tostring(EventXml.EventData.Data[1]["#text"])
| extend TicketOptions = tostring(EventXml.EventData.Data[4]["#text"])
| extend Status = tostring(EventXml.EventData.Data[5]["#text"])
| extend TicketEncryptionType = tostring(EventXml.EventData.Data[6]["#text"])
| extend PreAuthType = tostring(EventXml.EventData.Data[7]["#text"])
| extend IpAddress = tostring(EventXml.EventData.Data[9]["#text"])
| extend IpPort = tostring(EventXml.EventData.Data[10]["#text"])
// PreAuthType 0x0 = no preauthentication required (DONT_REQ_PREAUTH set)
| where PreAuthType == "0" or PreAuthType == "0x0"
// Exclude machine accounts — they typically have preauthentication disabled legitimately
| where not (TargetUserName endswith "$")
// Flag RC4 encryption requests (0x17=23) which are preferred for offline cracking
| extend WeakEncryption = TicketEncryptionType in ("0x17", "23", "0x18", "24")
| extend EncryptionLabel = case(
    TicketEncryptionType == "0x17" or TicketEncryptionType == "23", "RC4-HMAC (crackable)",
    TicketEncryptionType == "0x18" or TicketEncryptionType == "24", "RC4-HMAC-EXP (crackable)",
    TicketEncryptionType == "0x12" or TicketEncryptionType == "18", "AES256-CTS (crackable offline)",
    TicketEncryptionType == "0x11" or TicketEncryptionType == "17", "AES128-CTS",
    "Unknown"
  )
| project TimeGenerated, Computer, TargetUserName, TargetDomainName, IpAddress, IpPort,
           PreAuthType, TicketEncryptionType, EncryptionLabel, WeakEncryption, Status, TicketOptions
| sort by TimeGenerated desc
// --
// Detection 2: Bulk AS-REP Roasting — Multiple Accounts Requested From Single Source
// Run separately for bulk enumeration alerting
// SecurityEvent
// | where TimeGenerated > ago(1h)
// | where EventID == 4768
// | extend EventXml = parse_xml(EventData)
// | extend TargetUserName = tostring(EventXml.EventData.Data[0]["#text"])
// | extend PreAuthType = tostring(EventXml.EventData.Data[7]["#text"])
// | extend IpAddress = tostring(EventXml.EventData.Data[9]["#text"])
// | where PreAuthType == "0" or PreAuthType == "0x0"
// | where not (TargetUserName endswith "$")
// | summarize AccountsRoasted=dcount(TargetUserName), Accounts=make_set(TargetUserName), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by IpAddress
// | where AccountsRoasted >= 3
// | sort by AccountsRoasted desc

high severity high confidence

Data Sources

DS0026: Active Directory — Active Directory Credential Request Windows Security Event Log — Event ID 4768 Domain Controller Security Auditing

Required Tables

SecurityEvent

False Positives

Service accounts or application accounts that have preauthentication deliberately disabled for legacy application compatibility (older Kerberos implementations)
Vulnerability scanners (Tenable, Qualys, Rapid7) performing Kerberos configuration assessments against the domain
Privileged Access Workstations or jump servers legitimately authenticating to accounts where preauthentication is disabled for operational reasons
Kerberos monitoring tools or identity security products (CrowdStrike Identity, Semperis) that enumerate account configurations for reporting

Splunk

spl

| tstats summariesonly=false count min(_time) as firstTime max(_time) as lastTime
    from datamodel=Authentication
    where nodename=Authentication.Successful_Authentication
    by Authentication.src, Authentication.user, Authentication.dest
| eval placeholder="placeholder"

```
Alternative: Direct Event Log Search for AS-REP Roasting
```

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4768
| rex field=_raw "<Data Name='TargetUserName'>(?<TargetUserName>[^<]+)<"
| rex field=_raw "<Data Name='TargetDomainName'>(?<TargetDomainName>[^<]+)<"
| rex field=_raw "<Data Name='TicketEncryptionType'>(?<TicketEncryptionType>[^<]+)<"
| rex field=_raw "<Data Name='PreAuthType'>(?<PreAuthType>[^<]+)<"
| rex field=_raw "<Data Name='IpAddress'>(?<IpAddress>[^<]+)<"
| rex field=_raw "<Data Name='IpPort'>(?<IpPort>[^<]+)<"
| rex field=_raw "<Data Name='Status'>(?<Status>[^<]+)<"
| rex field=_raw "<Data Name='TicketOptions'>(?<TicketOptions>[^<]+)<"
// Filter for no preauthentication (DONT_REQ_PREAUTH = PreAuthType 0)
| where PreAuthType="0" OR PreAuthType="0x0"
// Exclude machine accounts
| where NOT match(TargetUserName, "\\$$")
// Tag encryption strength
| eval EncryptionLabel=case(
    TicketEncryptionType="0x17" OR TicketEncryptionType="23", "RC4-HMAC (crackable)",
    TicketEncryptionType="0x18" OR TicketEncryptionType="24", "RC4-HMAC-EXP (crackable)",
    TicketEncryptionType="0x12" OR TicketEncryptionType="18", "AES256-CTS (crackable offline)",
    TicketEncryptionType="0x11" OR TicketEncryptionType="17", "AES128-CTS",
    1=1, "Unknown-".TicketEncryptionType
  )
| eval WeakEncryption=if(TicketEncryptionType="0x17" OR TicketEncryptionType="23" OR TicketEncryptionType="0x18" OR TicketEncryptionType="24", 1, 0)
// Score: weak encryption + known roasting tools port patterns
| eval SeverityScore=if(WeakEncryption=1, 2, 1)
| table _time, host, TargetUserName, TargetDomainName, IpAddress, IpPort, PreAuthType, EncryptionLabel, WeakEncryption, Status, SeverityScore
| sort - SeverityScore, - _time

```
Bulk Enumeration Detection — Multiple accounts AS-REP roasted from same source
```

index=wineventlog sourcetype="WinEventLog:Security" EventCode=4768
| rex field=_raw "<Data Name='TargetUserName'>(?<TargetUserName>[^<]+)<"
| rex field=_raw "<Data Name='PreAuthType'>(?<PreAuthType>[^<]+)<"
| rex field=_raw "<Data Name='IpAddress'>(?<IpAddress>[^<]+)<"
| where PreAuthType="0" OR PreAuthType="0x0"
| where NOT match(TargetUserName, "\\$$")
| bucket _time span=10m
| stats dc(TargetUserName) as AccountsRoasted, values(TargetUserName) as Accounts, count as TotalRequests by _time, IpAddress
| where AccountsRoasted >= 3
| sort - AccountsRoasted

high severity high confidence

Data Sources

Windows Security Event Log — Event ID 4768 Domain Controller Event Forwarding WinEventLog:Security

Required Sourcetypes

WinEventLog:Security

False Positives

Service accounts or application accounts that have preauthentication deliberately disabled for legacy application compatibility
Vulnerability scanners performing Kerberos configuration assessments against the domain
Identity security monitoring tools that enumerate Kerberos-related account properties
Kerberos test accounts in lab or development environments where preauthentication is disabled for testing

Elastic Security (EQL)

eql

// Detection 1: AS-REP Roasting — Single Account, No Preauthentication (Event 4768)
any where event.provider == "Microsoft-Windows-Security-Auditing"
  and event.code == "4768"
  and winlog.event_data.PreAuthType == "0"
  and not winlog.event_data.TargetUserName : "*$"

// Optional enrichment fields available on matching events:
// winlog.event_data.TicketEncryptionType — 0x17/23 = RC4 (preferred for offline cracking)
// winlog.event_data.IpAddress            — source of the AS-REQ
// winlog.event_data.TargetDomainName     — target domain
// winlog.event_data.Status               — result code

// Detection 2: Bulk AS-REP Roasting — 3+ Unique Accounts from Same IP in 10 Minutes
// Use as a threshold/correlation rule in Kibana, or as an ES|QL aggregation:
// FROM logs-system.security-*
// | WHERE event.code == "4768"
//     AND winlog.event_data.PreAuthType == "0"
//     AND NOT ENDS_WITH(winlog.event_data.TargetUserName, "$")
// | STATS accounts_roasted = COUNT_DISTINCT(winlog.event_data.TargetUserName),
//         account_list = VALUES(winlog.event_data.TargetUserName)
//         BY winlog.event_data.IpAddress, BUCKET(@timestamp, 10 minutes)
// | WHERE accounts_roasted >= 3
// | SORT accounts_roasted DESC

high severity high confidence

Data Sources

Windows Security Event Log via Winlogbeat Windows Security Event Log via Elastic Agent (system integration) logs-system.security-* data stream

Required Tables

logs-system.security-* winlogbeat-* .ds-logs-system.security-*

False Positives

Legacy enterprise applications (SAP, Oracle E-Business Suite, older IBM middleware) that require DONT_REQ_PREAUTH on dedicated service accounts for compatibility with non-Windows Kerberos implementations — these generate consistent single-account events from known application server IPs
Unix/Linux or macOS systems joined to Active Directory via SSSD, Winbind, or Apple's AD plugin that use accounts with preauthentication disabled for cross-platform Kerberos compatibility
Authorised penetration testing or red team exercises explicitly targeting accounts configured with DONT_REQ_PREAUTH to validate detection coverage and incident response

IBM QRadar (AQL)

sql

-- Detection 1: AS-REP Roasting via Event 4768 — No Preauthentication Required
-- Requires Windows Security DSM with PreAuthType parsed as a custom property,
-- or the field is accessible via the parsed event data from the Microsoft Windows DSM.
SELECT
  DATEFORMAT(deviceTime, 'YYYY-MM-dd HH:mm:ss') AS "EventTime",
  sourceip AS "SourceIP",
  sourceport AS "SourcePort",
  username AS "TargetUserName",
  QIDNAME(qid) AS "EventName",
  CATEGORYNAME(category) AS "EventCategory",
  LOGSOURCENAME(logsourceid) AS "LogSource",
  "TargetDomainName",
  "TicketEncryptionType",
  "PreAuthType",
  "Status",
  "TicketOptions"
FROM events
WHERE
  LOGSOURCETYPENAME(logsourceid) = 'Microsoft Windows Security Event Log'
  AND QIDNAME(qid) LIKE '%Kerberos Authentication Service%'
  AND ("PreAuthType" = '0' OR "PreAuthType" = '0x0')
  AND username NOT LIKE '%$'
  AND deviceTime > NOW() - 3600000
ORDER BY deviceTime DESC
START '1 HOURS AGO'

-- Detection 2: Bulk Enumeration — 3+ Unique Accounts from Single Source in 10-Minute Bucket
-- SELECT
--   sourceip AS "SourceIP",
--   COUNT(DISTINCT username) AS "UniqueAccountsRoasted",
--   COUNT(*) AS "TotalRequests",
--   MIN(DATEFORMAT(deviceTime, 'YYYY-MM-dd HH:mm:ss')) AS "FirstSeen",
--   MAX(DATEFORMAT(deviceTime, 'YYYY-MM-dd HH:mm:ss')) AS "LastSeen"
-- FROM events
-- WHERE
--   LOGSOURCETYPENAME(logsourceid) = 'Microsoft Windows Security Event Log'
--   AND QIDNAME(qid) LIKE '%Kerberos Authentication Service%'
--   AND ("PreAuthType" = '0' OR "PreAuthType" = '0x0')
--   AND username NOT LIKE '%$'
--   AND deviceTime > NOW() - 3600000
-- GROUP BY sourceip,
--   TRUNCATE(LONG(deviceTime) / 600000)
-- HAVING COUNT(DISTINCT username) >= 3
-- ORDER BY "UniqueAccountsRoasted" DESC
-- START '1 HOURS AGO'

high severity high confidence

Data Sources

Microsoft Windows Security Event Log DSM QRadar Windows Agent (WinCollect) Microsoft Active Directory Domain Controller event logs

Required Tables

events (QRadar event pipeline)

False Positives

Accounts with DONT_REQ_PREAUTH intentionally enabled for legacy Kerberos client compatibility — MIT Kerberos on Linux, macOS enterprise AD environments — generating expected events from known infrastructure IPs
Enterprise middleware platforms (SAP NetWeaver, Oracle WebLogic) with service accounts configured for non-Windows Kerberos authentication that routinely generate Event 4768 with PreAuthType=0 from consistent server IPs
Authorised internal vulnerability scanning tools (Tenable Nessus, Qualys, Rapid7 InsightVM) running AD health checks that enumerate accounts with DONT_REQ_PREAUTH set

Sumo Logic CSE

sql

// Detection 1: AS-REP Roasting via Event 4768 — No Preauthentication
_sourceCategory=windows/security
| where EventCode = "4768"
| parse "<Data Name='TargetUserName'>*</Data>" as TargetUserName nodrop
| parse "<Data Name='TargetDomainName'>*</Data>" as TargetDomainName nodrop
| parse "<Data Name='TicketEncryptionType'>*</Data>" as TicketEncryptionType nodrop
| parse "<Data Name='PreAuthType'>*</Data>" as PreAuthType nodrop
| parse "<Data Name='IpAddress'>*</Data>" as IpAddress nodrop
| parse "<Data Name='IpPort'>*</Data>" as IpPort nodrop
| parse "<Data Name='Status'>*</Data>" as Status nodrop
| parse "<Data Name='TicketOptions'>*</Data>" as TicketOptions nodrop
| where PreAuthType = "0" or PreAuthType = "0x0"
| where TargetUserName != ""
| where !matches(TargetUserName, "*$")
| eval EncryptionLabel = if(TicketEncryptionType = "0x17" or TicketEncryptionType = "23", "RC4-HMAC (crackable)",
    if(TicketEncryptionType = "0x18" or TicketEncryptionType = "24", "RC4-HMAC-EXP (crackable)",
    if(TicketEncryptionType = "0x12" or TicketEncryptionType = "18", "AES256-CTS (crackable offline)",
    if(TicketEncryptionType = "0x11" or TicketEncryptionType = "17", "AES128-CTS", "Unknown"))))
| eval WeakEncryption = if(TicketEncryptionType = "0x17" or TicketEncryptionType = "23" or TicketEncryptionType = "0x18" or TicketEncryptionType = "24", "true", "false")
| eval SeverityScore = if(WeakEncryption = "true", 2, 1)
| fields _messageTime, _sourceHost, TargetUserName, TargetDomainName, IpAddress, IpPort, PreAuthType, EncryptionLabel, WeakEncryption, Status, SeverityScore
| sort by _messageTime desc

// Detection 2: Bulk Enumeration — 3+ Unique Accounts from Same IP in 10-Minute Timeslice
// _sourceCategory=windows/security
// | where EventCode = "4768"
// | parse "<Data Name='TargetUserName'>*</Data>" as TargetUserName nodrop
// | parse "<Data Name='PreAuthType'>*</Data>" as PreAuthType nodrop
// | parse "<Data Name='IpAddress'>*</Data>" as IpAddress nodrop
// | where PreAuthType = "0" or PreAuthType = "0x0"
// | where !matches(TargetUserName, "*$")
// | timeslice 10m
// | count_distinct(TargetUserName) as AccountsRoasted, values(TargetUserName) as Accounts by _timeslice, IpAddress
// | where AccountsRoasted >= 3
// | sort by AccountsRoasted desc

high severity high confidence

Data Sources

Sumo Logic Installed Collector with Windows Event Log Source (Security log) Sumo Logic OpenTelemetry Collector for Windows Windows Event Log forwarded via Sumo Logic Cloud-to-Cloud integration

Required Tables

_sourceCategory=windows/security (Windows Security Event Log)

False Positives

Enterprise applications (SAP, Oracle, legacy IBM products) that require preauthentication to be disabled on service accounts for compatibility with non-Windows Kerberos clients — these generate consistent single-account events from known application server hostnames
Unix/Linux or macOS hosts joined to Active Directory using SSSD or Winbind, where the AD account used for binding has DONT_REQ_PREAUTH set as a configuration requirement
Scheduled CI/CD or automation pipelines that authenticate sequentially against multiple AD service accounts with preauthentication disabled, appearing as high-frequency events from a single pipeline server IP

Google Chronicle / SecOps

yaral

// Detection 1: AS-REP Roasting — Single Account, No Preauthentication
rule asrep_roasting_no_preauth {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects AS-REP Roasting via Kerberos AS-REQ without preauthentication (Windows Event 4768, PreAuthType=0). Indicates DONT_REQ_PREAUTH is set on the target account, allowing unauthenticated TGT retrieval for offline cracking."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.004"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1558/004/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "4768"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.target.user.attribute.labels["PreAuthType"] = "0"
    not re.match($e.target.user.userid, `.*\$`)

  condition:
    $e
}

// Detection 2: Bulk AS-REP Roasting — 3+ Unique Accounts from Same Source in 10 Minutes
rule asrep_roasting_bulk_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects bulk AS-REP Roasting where a single source IP requests AS-REP tickets for 3 or more distinct non-machine accounts within a 10-minute window. Characteristic of Rubeus asreproast or Impacket GetNPUsers.py targeting multiple accounts."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.004"
    severity = "CRITICAL"
    priority = "CRITICAL"
    reference = "https://attack.mitre.org/techniques/T1558/004/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "4768"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.target.user.attribute.labels["PreAuthType"] = "0"
    not re.match($e.target.user.userid, `.*\$`)
    $src_ip = $e.principal.ip
    $victim = $e.target.user.userid

  match:
    $src_ip over 10m

  outcome:
    $account_count = count_distinct($victim)
    $total_requests = count($e)
    $accounts_list = array_distinct($victim)

  condition:
    #e >= 3 and $account_count >= 3
}

high severity high confidence

Data Sources

Google Chronicle SIEM with Windows Security Event Log ingestion via Chronicle Forwarder Microsoft Active Directory Domain Controller events forwarded to Chronicle Chronicle Unified Data Model (UDM) — USER_RESOURCE_ACCESS events

Required Tables

UDM events: metadata.event_type=USER_RESOURCE_ACCESS, metadata.product_event_type=4768

False Positives

Legitimate service accounts with DONT_REQ_PREAUTH configured for cross-platform Kerberos compatibility (Linux/macOS clients using MIT Kerberos) generating single-account events from known, consistent source IPs that can be allowlisted in the rule
Enterprise application middleware (SAP application servers, Oracle WebLogic clusters) where multiple service accounts on the same server have preauthentication disabled, potentially triggering the bulk enumeration rule during application startup or token refresh cycles
Authorised internal security assessments using tools like PingCastle or Purple Knight that enumerate AD account flags including DONT_REQ_PREAUTH as part of a scheduled AD health review

CrowdStrike LogScale (CQL)

cql

// Detection 1: AS-REP Roasting via Windows Security Event 4768
// Requires CrowdStrike Falcon EventForwarder or Windows Security Event Log collection enabled on DCs
EventCode = "4768"
| PreAuthType = /^(0|0x0)$/
| !match(TargetUserName, regex=".*\\$$")
| EncryptionLabel := case {
    TicketEncryptionType = "0x17" | "RC4-HMAC (crackable)";
    TicketEncryptionType = "23"   | "RC4-HMAC (crackable)";
    TicketEncryptionType = "0x18" | "RC4-HMAC-EXP (crackable)";
    TicketEncryptionType = "24"   | "RC4-HMAC-EXP (crackable)";
    TicketEncryptionType = "0x12" | "AES256-CTS (crackable offline)";
    TicketEncryptionType = "18"   | "AES256-CTS (crackable offline)";
    TicketEncryptionType = "0x11" | "AES128-CTS";
    TicketEncryptionType = "17"   | "AES128-CTS";
    *                             | "Unknown"
  }
| WeakEncryption := if(
    TicketEncryptionType = "0x17" or TicketEncryptionType = "23" or
    TicketEncryptionType = "0x18" or TicketEncryptionType = "24",
    true(), false()
  )
| table(
    [_time, ComputerName, TargetUserName, TargetDomainName, IpAddress, IpPort,
     PreAuthType, EncryptionLabel, WeakEncryption, Status, TicketOptions],
    sortby=_time, order=desc
  )

// Detection 2: Bulk AS-REP Roasting — 3+ Unique Accounts from Same Source in 10-Minute Window
// EventCode = "4768"
// | PreAuthType = /^(0|0x0)$/
// | !match(TargetUserName, regex=".*\\$$")
// | bucket(field=_time, span=10min)
// | groupBy(
//     [_time, IpAddress],
//     function=[
//       count(TargetUserName, as=TotalRequests),
//       count(TargetUserName, distinct=true, as=UniqueAccounts),
//       collect(TargetUserName, as=AccountsList)
//     ]
//   )
// | UniqueAccounts >= 3
// | sort(UniqueAccounts, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon EventForwarder (Windows Security Events from DCs) CrowdStrike Falcon LogScale with Windows Event Log collection CrowdStrike Falcon sensor on Active Directory Domain Controllers

Required Tables

Windows Security Event Log (EventCode=4768) ingested via Falcon EventForwarder or LogScale collector

False Positives

Service accounts with DONT_REQ_PREAUTH enabled for cross-platform Kerberos compatibility (Linux/macOS AD-joined hosts, MIT Kerberos clients) generating routine single-account events from known static IPs that should be baselined and excluded
Enterprise application servers (SAP, Oracle middleware) that authenticate multiple service accounts with preauthentication disabled from the same server IP during startup or scheduled tasks, potentially triggering the bulk enumeration threshold
Authorised red team or internal penetration testing exercises targeting AD accounts with DONT_REQ_PREAUTH set — confirm with security team before escalating based on known testing windows

Last updated: 2026-04-13 Research depth: deep

References (10)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1558.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden Ticket T1558.002Silver Ticket T1558.003Kerberoasting T1558.005Ccache Files

AS-REP Roasting

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Credential Access

Popular Detections