Full Report
Think your passwords are strong enough? AS-REP Roasting is back in the spotlight — and it's targeting weak spots in Active Directory. Learn more from Specops Software how attackers exploit missing Kerberos pre-auth and how to stop them with strong password policies. [...]
Analysis Summary
# Tool/Technique: Kerberos AS-REP Roasting Attacks
## Overview
Kerberos AS-REP Roasting is an offline password attack technique targeting the Active Directory (AD) authentication protocol, specifically the Authentication Service Reply (AS-REP) message. This attack is used to compromise user credentials by obtaining encrypted tickets that can be cracked offline to reveal passwords, provided the targeted user accounts do not have pre-authentication enabled.
## Technical Details
- Type: Technique (Password Attack)
- Platform: Microsoft Active Directory environments (Windows Servers and clients).
- Capabilities: Allows for the offline cracking of user passwords for accounts whose Kerberos pre-authentication is disabled.
- First Seen: The general concept of exploiting Kerberos weaknesses is long-standing, but specific widespread exploitation methods related to AS-REP roasting gained prominence following documentation of these methods, often associated with tools like Rubeus or Impacket.
## MITRE ATT&CK Mapping
- **TA0006 - Credential Access**
- **T1558 - Steal or Forge Kerberos Tickets**
- **T1558.003 - Kerberoasting** (While distinct from AS-REP Roasting, both target Kerberos authentication artifacts)
- **TA0002 - Execution** (If used as part of an initial compromise chain that runs the tool)
*(Note: While Kerberoasting targets TGS-REP, AS-REP Roasting specifically targets the AS-REP. As of current general knowledge, AS-REP Roasting often falls under the broader umbrella of credential access leveraging Kerberos mechanisms.)*
## Functionality
### Core Capabilities
- **Requesting AS-REP Messages:** An attacker requests an AS-REP for target user accounts that have pre-authentication disabled.
- **Offline Cracking:** The retrieved AS-REP message contains Service Principal Name (SPN) credentials hashed with the password hash of the user account. This hash can then be subjected to brute-force or dictionary attacks offline.
### Advanced Features
- **Targeting specific accounts:** The technique specifically targets accounts where administrators have omitted setting the "Do not require preauthentication for this user" flag, making them vulnerable.
- **Low noise:** The attack generally does not involve logging in or creating user sessions, relying instead on standard Kerberos requests that can appear legitimate within network traffic monitoring if not closely scrutinized.
## Indicators of Compromise
- File Hashes: N/A (Technique, not static malware)
- File Names: Tools used to perform this, such as `Rubeus.exe` or scripts from the `Impacket` suite (e.g., `GetUserSPNs.py`).
- Registry Keys: N/A
- Network Indicators: Numerous, repetitive Kerberos Authentication Service (AS-REQ) requests directed at the Domain Controller, often targeting accounts identified as having pre-authentication disabled. (No specific domain known from context)
- Behavioral Indicators: High volume of Kerberos AS-REQ traffic without corresponding successful logins, or repeated attempts to fetch AS-REPs for numerous user objects.
## Associated Threat Actors
This technique is commonly employed by various threat actors, ranging from penetration testers simulating domain compromise to sophisticated APT groups, as it is a standard method for escalating privileges once initial domain access is achieved. Specific threat actor attribution is difficult without knowing the tool used in a specific instance.
## Detection Methods
- **Signature-based detection:** Difficult, as it relies on standard protocol mechanisms. Signature detection is more applicable to the specific tools used (e.g., Rubeus).
- **Behavioral detection:** Monitoring for an excessive number of AS-REQ requests from a single source IP or workstation targeting many user accounts, especially if the replies (AS-REPs) are not followed by TGS-REQ requests (suggesting offline cracking).
- **YARA rules:** Not typically applicable as this is a protocol manipulation technique.
## Mitigation Strategies
- **Prevention measures:** **Enable Kerberos Pre-authentication** for all user accounts. This is the single most effective mitigation against AS-REP Roasting, as it requires the client to present a strong proof-of-possession hash during the initial request, making the resulting AS-REP unusable for offline cracking.
- **Hardening recommendations:**
1. Regularly audit user accounts for the "Do not require preauthentication for this user" setting using PowerShell or AD tools.
2. Implement privileged access workstations (PAWs) to limit where attackers can execute credential harvesting tools.
3. Monitor Kerberos traffic for anomalous request patterns.
## Related Tools/Techniques
- **Kerberoasting (T1558.003):** Similar technique targeting Ticket Granting Service (TGS) requests instead of AS-REP requests.
- **AS-REQ Encryption Type Check:** Related reconnaissance activity to identify potential targets for AS-REP Roasting.
- **Tools:** Rubeus, Impacket suite (e.g., `GetUserSPNs.py` or custom scripts).