| ID | Name |
|---|---|
| T1558.001 | Golden Ticket |
| T1558.002 | Silver Ticket |
| T1558.003 | Kerberoasting |
| T1558.004 | AS-REP Roasting |
| T1558.005 | Ccache Files |
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.[1]
Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.[2]
For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. [1][3]
An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. [1][3]
Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.[4]
| ID | Name | Description |
|---|---|---|
| S1071 | Rubeus |
Rubeus can reveal the credentials of accounts that have Kerberos pre-authentication disabled through AS-REP roasting.[5][6][7] |
| ID | Mitigation | Description |
|---|---|---|
| M1047 | Audit |
Kerberos preauthentication is enabled by default. Older protocols might not support preauthentication therefore it is possible to have this setting disabled. Make sure that all accounts have preauthentication whenever possible and audit changes to setting. Windows tools such as PowerShell may be used to easily find which accounts have preauthentication disabled. [8][3] |
| M1041 | Encrypt Sensitive Information |
Enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.[9] |
| M1027 | Password Policies |
Ensure strong password length (ideally 25+ characters) and complexity for service accounts and that these passwords periodically expire. Also consider using Group Managed Service Accounts or another third party product such as password vaulting. [9] |
| ID | Name | Analytic ID | Analytic Description |
|---|---|---|---|
| DET0113 | Detect AS-REP Roasting Attempts (T1558.004) | AN0316 |
Detects AS-REP roasting attempts by monitoring for Kerberos AS-REQ/AS-REP authentication patterns where preauthentication is disabled (Event ID 4768 with Pre-Auth Type 0). Correlates these requests with subsequent service ticket activity (Event ID 4769) and anomalies such as requests using weak RC4 encryption (etype 0x17). Excessive enumeration of accounts with 'Do not require Kerberos preauthentication' set in Active Directory is another key detection point. |