Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
Sigma rule (View on GitHub)
1title: Potential AS-REP Roasting via Kerberos TGT Requests
2id: 3e2f1b2c-4d5e-11ee-be56-0242ac120002
3status: experimental
4description: |
5 Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC.
6 This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
7references:
8 - https://medium.com/system-weakness/detecting-as-rep-roasting-attacks-b5b3965f9714
9 - https://www.picussecurity.com/resource/blog/as-rep-roasting-attack-explained-mitre-attack-t1558.004
10author: ANosir
11date: 2025-05-22
12logsource:
13 product: windows
14 service: security
15detection:
16 selection:
17 EventID: 4768
18 TicketEncryptionType: '0x17'
19 ServiceName: 'krbtgt'
20 Pre-AuthenticationType: 0
21 condition: selection
22falsepositives:
23 - Legacy systems or applications that legitimately use RC4 encryption
24 - Misconfigured accounts with pre-authentication disabled
25level: medium
References
-
-
This blog explains the AS-REP Roasting Attack in MITRE ATT&CK: How Kerberos vulnerabilities enable unauthorized network access, and provides detection and mitigation strategies.
Read More