Kerberos Pre-authentication Disabled for User

calendar May 4, 2026 · Domain: Endpoint OS: Windows Use Case: Threat Detection Tactic: Credential Access Tactic: Defense Evasion Tactic: Privilege Escalation Resources: Investigation Guide Use Case: Active Directory Monitoring Data Source: Active Directory Data Source: Windows Security Event Logs  ·
Share on: linkedin copy

Identifies the modification of an account's Kerberos pre-authentication options. An adversary with GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password cracking attacks such as AS-REP roasting.

Elastic rule (View on GitHub)

  1[metadata]
  2creation_date = "2022/01/24"
  3integration = ["system", "windows"]
  4maturity = "production"
  5updated_date = "2026/05/04"
  6
  7[rule]
  8author = ["Elastic"]
  9description = """
 10Identifies the modification of an account's Kerberos pre-authentication options. An adversary with
 11GenericWrite/GenericAll rights over the account can maliciously modify these settings to perform offline password
 12cracking attacks such as AS-REP roasting.
 13"""
 14from = "now-9m"
 15index = ["logs-system.security*", "logs-windows.forwarded*", "winlogbeat-*"]
 16language = "eql"
 17license = "Elastic License v2"
 18name = "Kerberos Pre-authentication Disabled for User"
 19note = """## Triage and analysis
 20
 21### Investigating Kerberos Pre-authentication Disabled for User
 22
 23Kerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring [recommendations](https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738) state that `'Don't Require Preauth' – Enabled` should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.
 24
 25AS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.
 26
 27#### Possible investigation steps
 28
 29- Identify the user account that performed the action and whether it should perform this kind of action.
 30- Contact the account owner and confirm whether they are aware of this activity.
 31- Determine if the target account is sensitive or privileged.
 32- Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.
 33
 34### False positive analysis
 35
 36- Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.
 37
 38### Response and remediation
 39
 40- Initiate the incident response process based on the outcome of the triage.
 41- Reset the target account's password if there is any risk of TGTs having been retrieved.
 42- Re-enable the preauthentication option or disable the target account.
 43- Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
 44- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
 45- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
 46"""
 47references = [
 48    "https://harmj0y.medium.com/roasting-as-reps-e6179a65216b",
 49    "https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4738",
 50    "https://github.com/atc-project/atomic-threat-coverage/blob/master/Atomic_Threat_Coverage/Logging_Policies/LP_0026_windows_audit_user_account_management.md",
 51]
 52risk_score = 47
 53rule_id = "e514d8cd-ed15-4011-84e2-d15147e059f1"
 54setup = """## Setup
 55
 56Audit User Account Management must be enabled to generate the events used by this rule.
 57Setup instructions: https://ela.st/audit-user-account-management
 58"""
 59severity = "medium"
 60tags = [
 61    "Domain: Endpoint",
 62    "OS: Windows",
 63    "Use Case: Threat Detection",
 64    "Tactic: Credential Access",
 65    "Tactic: Defense Evasion",
 66    "Tactic: Privilege Escalation",
 67    "Resources: Investigation Guide",
 68    "Use Case: Active Directory Monitoring",
 69    "Data Source: Active Directory",
 70    "Data Source: Windows Security Event Logs",
 71]
 72timestamp_override = "event.ingested"
 73type = "eql"
 74
 75query = '''
 76any where host.os.type == "windows" and event.code == "4738" and
 77  winlog.event_data.NewUACList == "USER_DONT_REQUIRE_PREAUTH"
 78'''
 79
 80
 81[[rule.threat]]
 82framework = "MITRE ATT&CK"
 83
 84[[rule.threat.technique]]
 85id = "T1558"
 86name = "Steal or Forge Kerberos Tickets"
 87reference = "https://attack.mitre.org/techniques/T1558/"
 88
 89[[rule.threat.technique.subtechnique]]
 90id = "T1558.004"
 91name = "AS-REP Roasting"
 92reference = "https://attack.mitre.org/techniques/T1558/004/"
 93
 94[rule.threat.tactic]
 95id = "TA0006"
 96name = "Credential Access"
 97reference = "https://attack.mitre.org/tactics/TA0006/"
 98
 99[[rule.threat]]
100framework = "MITRE ATT&CK"
101
102[[rule.threat.technique]]
103id = "T1562"
104name = "Impair Defenses"
105reference = "https://attack.mitre.org/techniques/T1562/"
106
107[rule.threat.tactic]
108id = "TA0005"
109name = "Defense Evasion"
110reference = "https://attack.mitre.org/tactics/TA0005/"
111
112[[rule.threat]]
113framework = "MITRE ATT&CK"
114
115[[rule.threat.technique]]
116id = "T1078"
117name = "Valid Accounts"
118reference = "https://attack.mitre.org/techniques/T1078/"
119
120[[rule.threat.technique.subtechnique]]
121id = "T1078.002"
122name = "Domain Accounts"
123reference = "https://attack.mitre.org/techniques/T1078/002/"
124
125[rule.threat.tactic]
126id = "TA0004"
127name = "Privilege Escalation"
128reference = "https://attack.mitre.org/tactics/TA0004/"
129
130[[rule.threat]]
131framework = "MITRE ATT&CK"
132
133[[rule.threat.technique]]
134id = "T1098"
135name = "Account Manipulation"
136reference = "https://attack.mitre.org/techniques/T1098/"
137
138[rule.threat.tactic]
139id = "TA0003"
140name = "Persistence"
141reference = "https://attack.mitre.org/tactics/TA0003/"

Triage and analysis

Investigating Kerberos Pre-authentication Disabled for User

Kerberos pre-authentication is an account protection against offline password cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password. Microsoft's security monitoring recommendations state that 'Don't Require Preauth' – Enabled should not be enabled for user accounts because it weakens security for the account’s Kerberos authentication.

AS-REP roasting is an attack against Kerberos for user accounts that do not require pre-authentication, which means that if the target user has pre-authentication disabled, an attacker can request authentication data for it and get a TGT that can be brute-forced offline, similarly to Kerberoasting.

Possible investigation steps

  • Identify the user account that performed the action and whether it should perform this kind of action.
  • Contact the account owner and confirm whether they are aware of this activity.
  • Determine if the target account is sensitive or privileged.
  • Inspect the account activities for suspicious or abnormal behaviors in the alert timeframe.

False positive analysis

  • Disabling pre-authentication is a bad security practice and should not be allowed in the domain. The security team should map and monitor any potential benign true positives (B-TPs), especially if the target account is privileged.

Response and remediation

  • Initiate the incident response process based on the outcome of the triage.
  • Reset the target account's password if there is any risk of TGTs having been retrieved.
  • Re-enable the preauthentication option or disable the target account.
  • Review the privileges assigned to the involved users to ensure that the least privilege principle is being followed.
  • Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords for these accounts and other potentially compromised credentials, such as email, business systems, and web services.
  • Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).

References

Related rules

to-top