title: AS-REP Roasting (T1558.004)
id: df00tech-t1558-004
status: experimental
description: "Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by password cracking Kerberos AS-REP messages. When preauthentication is disabled on an account (userAccountControl flag DONT_REQ_PREAUTH), an attacker can send an AS-REQ message without an encrypted timestamp and receive an AS-REP response containing a TGT encrypted with the target account's password hash. This encrypted blob can be taken offline and cracked with tools like Hashcat or John the Ripper. The attack is commonly executed with Rubeus (asreproast module) or Impacket's GetNPUsers.py. Unlike Kerberoasting, AS-REP Roasting does not require a valid domain account to initiate — an unauthenticated attacker can send AS-REQ messages directly to the KDC. Successfully cracked credentials enable persistence, privilege escalation, and lateral movement via valid account access."
references:
  - https://attack.mitre.org/techniques/T1558/004/
  - https://df00tech.com/detections/T1558.004
author: df00tech
date: 2026/04/13
tags:
  - attack.t1558.004
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Service accounts or application accounts that have preauthentication deliberately disabled for legacy application compatibility (older Kerberos implementations)
  - "Vulnerability scanners (Tenable, Qualys, Rapid7) performing Kerberos configuration assessments against the domain"
  - Privileged Access Workstations or jump servers legitimately authenticating to accounts where preauthentication is disabled for operational reasons
  - "Kerberos monitoring tools or identity security products (CrowdStrike Identity, Semperis) that enumerate account configurations for reporting"
level: high