T1558.004 Google Chronicle · YARA-L

Detect AS-REP Roasting in Google Chronicle

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by password cracking Kerberos AS-REP messages. When preauthentication is disabled on an account (userAccountControl flag DONT_REQ_PREAUTH), an attacker can send an AS-REQ message without an encrypted timestamp and receive an AS-REP response containing a TGT encrypted with the target account's password hash. This encrypted blob can be taken offline and cracked with tools like Hashcat or John the Ripper. The attack is commonly executed with Rubeus (asreproast module) or Impacket's GetNPUsers.py. Unlike Kerberoasting, AS-REP Roasting does not require a valid domain account to initiate — an unauthenticated attacker can send AS-REQ messages directly to the KDC. Successfully cracked credentials enable persistence, privilege escalation, and lateral movement via valid account access.

MITRE ATT&CK

Tactic
Credential Access
Technique
T1558 Steal or Forge Kerberos Tickets
Sub-technique
T1558.004 AS-REP Roasting
Canonical reference
https://attack.mitre.org/techniques/T1558/004/

YARA-L Detection Query

Google Chronicle (YARA-L)
yaral 
// Detection 1: AS-REP Roasting — Single Account, No Preauthentication
rule asrep_roasting_no_preauth {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects AS-REP Roasting via Kerberos AS-REQ without preauthentication (Windows Event 4768, PreAuthType=0). Indicates DONT_REQ_PREAUTH is set on the target account, allowing unauthenticated TGT retrieval for offline cracking."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.004"
    severity = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1558/004/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "4768"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.target.user.attribute.labels["PreAuthType"] = "0"
    not re.match($e.target.user.userid, `.*\$`)

  condition:
    $e
}

// Detection 2: Bulk AS-REP Roasting — 3+ Unique Accounts from Same Source in 10 Minutes
rule asrep_roasting_bulk_enumeration {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects bulk AS-REP Roasting where a single source IP requests AS-REP tickets for 3 or more distinct non-machine accounts within a 10-minute window. Characteristic of Rubeus asreproast or Impacket GetNPUsers.py targeting multiple accounts."
    mitre_attack_tactic = "Credential Access"
    mitre_attack_technique = "T1558.004"
    severity = "CRITICAL"
    priority = "CRITICAL"
    reference = "https://attack.mitre.org/techniques/T1558/004/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_event_type = "4768"
    $e.metadata.product_name = "Microsoft-Windows-Security-Auditing"
    $e.target.user.attribute.labels["PreAuthType"] = "0"
    not re.match($e.target.user.userid, `.*\$`)
    $src_ip = $e.principal.ip
    $victim = $e.target.user.userid

  match:
    $src_ip over 10m

  outcome:
    $account_count = count_distinct($victim)
    $total_requests = count($e)
    $accounts_list = array_distinct($victim)

  condition:
    #e >= 3 and $account_count >= 3
}
high severity high confidence

Google Chronicle YARA-L 2.0 rules detecting AS-REP Roasting via UDM event mapping of Windows Security Event 4768. Rule 1 (asrep_roasting_no_preauth) catches any single-account attempt with PreAuthType=0. Rule 2 (asrep_roasting_bulk_enumeration) uses the match/outcome/condition aggregation pattern to detect bulk enumeration from a single source IP over a 10-minute sliding window, raising severity to CRITICAL for campaign-level activity consistent with Rubeus or Impacket tooling.

Data Sources

Google Chronicle SIEM with Windows Security Event Log ingestion via Chronicle ForwarderMicrosoft Active Directory Domain Controller events forwarded to ChronicleChronicle Unified Data Model (UDM) — USER_RESOURCE_ACCESS events

Required Tables

UDM events: metadata.event_type=USER_RESOURCE_ACCESS, metadata.product_event_type=4768

False Positives & Tuning

  • Legitimate service accounts with DONT_REQ_PREAUTH configured for cross-platform Kerberos compatibility (Linux/macOS clients using MIT Kerberos) generating single-account events from known, consistent source IPs that can be allowlisted in the rule
  • Enterprise application middleware (SAP application servers, Oracle WebLogic clusters) where multiple service accounts on the same server have preauthentication disabled, potentially triggering the bulk enumeration rule during application startup or token refresh cycles
  • Authorised internal security assessments using tools like PingCastle or Purple Knight that enumerate AD account flags including DONT_REQ_PREAUTH as part of a scheduled AD health review
Download portable Sigma rule (.yml)

Other platforms for T1558.004

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AS-REP Roasting with Rubeus

    Expected signal: Domain Controller Security Event ID 4768 for each roasted account with PreAuthType=0x0 and TicketEncryptionType=0x17 (RC4). Source IpAddress will be the attacking machine's IP. Sysmon Event ID 1 on attacking host: Process Create for Rubeus.exe with CommandLine containing 'asreproast'. Sysmon Event ID 3: network connections from Rubeus.exe to DC port 88 (Kerberos).

  2. Test 2AS-REP Roasting with Impacket GetNPUsers.py

    Expected signal: Domain Controller Security Event ID 4768 for the target account with PreAuthType=0x0 and TicketEncryptionType=0x17. Source IpAddress will be the Linux/external attacking host's IP. No process creation event on the DC itself. If the attack originates from outside the domain, IpAddress will be a non-domain IP, which is a high-confidence indicator.

  3. Test 3PowerShell LDAP Enumeration of DONT_REQ_PREAUTH Accounts

    Expected signal: Sysmon Event ID 1: PowerShell process creation with CommandLine containing 'DoesNotRequirePreAuth' or '4194304'. Domain Controller Event ID 4662 with ObjectType containing 'user' and AccessMask 0x10 (read property) — may generate many events. PowerShell ScriptBlock Log Event ID 4104 with the LDAP filter content.

  4. Test 4Manual AS-REQ without Preauthentication via PowerShell

    Expected signal: Domain Controller Security Event ID 4768 for 'df00tech-asrep-test' with PreAuthType=0x0 and TicketEncryptionType=0x17. Security Event ID 4738 when preauthentication is disabled/re-enabled on the account. Rubeus.exe process creation (Sysmon Event ID 1) and network connection to DC port 88 (Sysmon Event ID 3).

Last updated: 2026-04-13 Research depth: deep
References (10)

Unlock Pro Content

Get the full detection package for T1558.004 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1558Steal or Forge Kerberos Tickets

Related Sub-techniques

T1558.001Golden TicketT1558.002Silver TicketT1558.003KerberoastingT1558.005Ccache Files

Related Techniques

T1558Steal or Forge Kerberos TicketsT1558.003KerberoastingT1110.002Password CrackingT1078Valid AccountsT1069.002Domain GroupsT1087.002Domain AccountT1018Remote System DiscoveryT1550.003Pass the TicketT1003.006DCSync

Same Tactic: Credential Access

Popular Detections