Detect AS-REP Roasting in Splunk
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by password cracking Kerberos AS-REP messages. When preauthentication is disabled on an account (userAccountControl flag DONT_REQ_PREAUTH), an attacker can send an AS-REQ message without an encrypted timestamp and receive an AS-REP response containing a TGT encrypted with the target account's password hash. This encrypted blob can be taken offline and cracked with tools like Hashcat or John the Ripper. The attack is commonly executed with Rubeus (asreproast module) or Impacket's GetNPUsers.py. Unlike Kerberoasting, AS-REP Roasting does not require a valid domain account to initiate — an unauthenticated attacker can send AS-REQ messages directly to the KDC. Successfully cracked credentials enable persistence, privilege escalation, and lateral movement via valid account access.
MITRE ATT&CK
- Tactic
- Credential Access
- Technique
- T1558 Steal or Forge Kerberos Tickets
- Sub-technique
- T1558.004 AS-REP Roasting
- Canonical reference
- https://attack.mitre.org/techniques/T1558/004/
SPL Detection Query
| tstats summariesonly=false count min(_time) as firstTime max(_time) as lastTime
from datamodel=Authentication
where nodename=Authentication.Successful_Authentication
by Authentication.src, Authentication.user, Authentication.dest
| eval placeholder="placeholder"
```
Alternative: Direct Event Log Search for AS-REP Roasting
```
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4768
| rex field=_raw "<Data Name='TargetUserName'>(?<TargetUserName>[^<]+)<"
| rex field=_raw "<Data Name='TargetDomainName'>(?<TargetDomainName>[^<]+)<"
| rex field=_raw "<Data Name='TicketEncryptionType'>(?<TicketEncryptionType>[^<]+)<"
| rex field=_raw "<Data Name='PreAuthType'>(?<PreAuthType>[^<]+)<"
| rex field=_raw "<Data Name='IpAddress'>(?<IpAddress>[^<]+)<"
| rex field=_raw "<Data Name='IpPort'>(?<IpPort>[^<]+)<"
| rex field=_raw "<Data Name='Status'>(?<Status>[^<]+)<"
| rex field=_raw "<Data Name='TicketOptions'>(?<TicketOptions>[^<]+)<"
// Filter for no preauthentication (DONT_REQ_PREAUTH = PreAuthType 0)
| where PreAuthType="0" OR PreAuthType="0x0"
// Exclude machine accounts
| where NOT match(TargetUserName, "\\$$")
// Tag encryption strength
| eval EncryptionLabel=case(
TicketEncryptionType="0x17" OR TicketEncryptionType="23", "RC4-HMAC (crackable)",
TicketEncryptionType="0x18" OR TicketEncryptionType="24", "RC4-HMAC-EXP (crackable)",
TicketEncryptionType="0x12" OR TicketEncryptionType="18", "AES256-CTS (crackable offline)",
TicketEncryptionType="0x11" OR TicketEncryptionType="17", "AES128-CTS",
1=1, "Unknown-".TicketEncryptionType
)
| eval WeakEncryption=if(TicketEncryptionType="0x17" OR TicketEncryptionType="23" OR TicketEncryptionType="0x18" OR TicketEncryptionType="24", 1, 0)
// Score: weak encryption + known roasting tools port patterns
| eval SeverityScore=if(WeakEncryption=1, 2, 1)
| table _time, host, TargetUserName, TargetDomainName, IpAddress, IpPort, PreAuthType, EncryptionLabel, WeakEncryption, Status, SeverityScore
| sort - SeverityScore, - _time
```
Bulk Enumeration Detection — Multiple accounts AS-REP roasted from same source
```
index=wineventlog sourcetype="WinEventLog:Security" EventCode=4768
| rex field=_raw "<Data Name='TargetUserName'>(?<TargetUserName>[^<]+)<"
| rex field=_raw "<Data Name='PreAuthType'>(?<PreAuthType>[^<]+)<"
| rex field=_raw "<Data Name='IpAddress'>(?<IpAddress>[^<]+)<"
| where PreAuthType="0" OR PreAuthType="0x0"
| where NOT match(TargetUserName, "\\$$")
| bucket _time span=10m
| stats dc(TargetUserName) as AccountsRoasted, values(TargetUserName) as Accounts, count as TotalRequests by _time, IpAddress
| where AccountsRoasted >= 3
| sort - AccountsRoastedDetects AS-REP Roasting via Windows Security Event ID 4768 (Kerberos TGT Requested) by parsing EventData XML fields for PreAuthType=0 (no preauthentication required). Uses rex to extract structured fields from raw XML. Tags encryption types to identify RC4-HMAC requests (preferred by attackers for offline cracking speed). The bulk enumeration block identifies automated tooling scanning multiple accounts within a 10-minute window from the same source IP — a pattern characteristic of Rubeus asreproast and Impacket GetNPUsers.py. Requires Security Event logging on Domain Controllers with 'Audit Kerberos Authentication Service' enabled.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Service accounts or application accounts that have preauthentication deliberately disabled for legacy application compatibility
- Vulnerability scanners performing Kerberos configuration assessments against the domain
- Identity security monitoring tools that enumerate Kerberos-related account properties
- Kerberos test accounts in lab or development environments where preauthentication is disabled for testing
Other platforms for T1558.004
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AS-REP Roasting with Rubeus
Expected signal: Domain Controller Security Event ID 4768 for each roasted account with PreAuthType=0x0 and TicketEncryptionType=0x17 (RC4). Source IpAddress will be the attacking machine's IP. Sysmon Event ID 1 on attacking host: Process Create for Rubeus.exe with CommandLine containing 'asreproast'. Sysmon Event ID 3: network connections from Rubeus.exe to DC port 88 (Kerberos).
- Test 2AS-REP Roasting with Impacket GetNPUsers.py
Expected signal: Domain Controller Security Event ID 4768 for the target account with PreAuthType=0x0 and TicketEncryptionType=0x17. Source IpAddress will be the Linux/external attacking host's IP. No process creation event on the DC itself. If the attack originates from outside the domain, IpAddress will be a non-domain IP, which is a high-confidence indicator.
- Test 3PowerShell LDAP Enumeration of DONT_REQ_PREAUTH Accounts
Expected signal: Sysmon Event ID 1: PowerShell process creation with CommandLine containing 'DoesNotRequirePreAuth' or '4194304'. Domain Controller Event ID 4662 with ObjectType containing 'user' and AccessMask 0x10 (read property) — may generate many events. PowerShell ScriptBlock Log Event ID 4104 with the LDAP filter content.
- Test 4Manual AS-REQ without Preauthentication via PowerShell
Expected signal: Domain Controller Security Event ID 4768 for 'df00tech-asrep-test' with PreAuthType=0x0 and TicketEncryptionType=0x17. Security Event ID 4738 when preauthentication is disabled/re-enabled on the account. Rubeus.exe process creation (Sysmon Event ID 1) and network connection to DC port 88 (Sysmon Event ID 3).
References (10)
- https://attack.mitre.org/techniques/T1558/004/
- https://blog.harmj0y.net/activedirectory/roasting-as-reps/
- https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/
- https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768
- https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx
- https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/
- https://github.com/GhostPack/Rubeus
- https://github.com/fortra/impacket/blob/master/examples/GetNPUsers.py
- https://adsecurity.org/?p=2293
- https://redsiege.com/kerberoast-slides
Unlock Pro Content
Get the full detection package for T1558.004 including response playbook, investigation guide, and atomic red team tests.