Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
Sigma rule (View on GitHub)
1title: Potential AS-REP Roasting via Kerberos TGT Requests
2id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
3status: experimental
4description: |
5 Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
6 This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
7references:
8 - https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
9 - https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
10author: ANosir
11date: 2025-05-22
12modified: 2025-07-04
13logsource:
14 product: windows
15 service: security
16detection:
17 selection:
18 EventID: 4768
19 TicketEncryptionType: '0x17'
20 ServiceName: 'krbtgt'
21 PreAuthType: 0
22 condition: selection
23falsepositives:
24 - Legacy systems or applications that legitimately use RC4 encryption
25 - Misconfigured accounts with pre-authentication disabled
26level: medium
References
-
This blog explains the AS-REP Roasting Attack in MITRE ATT&CK: How Kerberos vulnerabilities enable unauthorized network access, and provides detection and mitigation strategies.
Read More