What is AS-REP Roasting?
Authentication Server Response (AS-REP) Roasting is an attack targeting Active Directory accounts that have Kerberos pre-authentication disabled. Attackers can request a Kerberos AS-REP for these accounts and capture the returned, password-encrypted ticket—then brute-force the credentials offline. This attack is commonly used to escalate privileges during ransomware or other campaigns, especially where privileged or service accounts are misconfigured.
How can I defend against AS-REP Roasting?
Start by using Semperis tools like Semperis Purple Knight or Directory Services Protector (DSP) to identify accounts with Kerberos pre-authentication disabled. These products provide a security indicator to alert you to the issue.
- Indicator of exposure (IOE): Users with Kerberos pre-authentication disabled.
- Category: Account Security
- Frameworks: MITRE ATT&CK: Credential Access, ANSSI: vuln1_kerberos_properties_preauth_priv, vuln2_kerberos_properties_preauth
Next, determine which accounts genuinely require the disablement of Kerberos pre-authentication. Educate IT stakeholders on risks and restrict disabling pre-auth to rare legacy cases.
Then, determine whether pre-authentication can be enabled on the remaining vulnerable accounts to reduce the risk of attacks like AS-REP Roasting. You can use PowerShell scripts to enable pre-authentication on those accounts.
Note that Purple Knight provides a point-in-time snapshot of vulnerable users, whereas DSP enables continuous monitoring and automated notifications and rollback of risky or unexpected changes to Active Directory objects.
Without automated monitoring, you will need to watch for signs of an AS-REP Roasting attack, such as Windows event ID 4768 events with:
- Pre-Auth Type 0
- Service Name krbtgt
- Ticket Encryption Type 0x17
Learn more about AS-REP Roasting
The following resources provide more information about AS-REP Roasting and how to detect and defend against it.
