Kerberos AS-REP roasting attacks have re-emerged as a significant threat to Active Directory environments, exploiting weak password policies and misconfigurations. This attack targets accounts with Kerberos pre-authentication disabled, allowing adversaries to extract password hashes offline. The technique, mapped to MITRE ATT&CK T1558.004, has been refined with new tools and detection evasion methods in 2024–2025.
Executive Summary for CISOs
AS-REP roasting exploits the absence of Kerberos pre-authentication, enabling attackers to request Ticket Granting Tickets (TGTs) for offline cracking. The attack is particularly effective against service accounts with weak passwords. Key risks include lateral movement and domain escalation. Below is a high-level overview:
- Attack Vector: Targets accounts with the
DONT_REQ_PREAUTHflag set. - Tools: Rubeus, Impacket’s GetNPUsers.py, and Hashcat (mode 18200).
- Detection: Monitor Event IDs 4768 (TGT requests) and 4771 (pre-auth failures).
- Mitigation: Enforce pre-authentication, rotate KRBTGT passwords, and disable RC4 encryption.
Technical Breakdown
The attack follows a three-stage workflow: enumeration, exploitation, and cracking. Attackers first identify vulnerable accounts using LDAP or PowerShell queries:
Get-ADUser -Filter {userAccountControl -band 4194304} -Properties userAccountControl
Once enumerated, tools like Rubeus or Impacket request AS-REP packets, which contain encrypted password hashes. These hashes are then cracked offline using tools like Hashcat:
hashcat -m 18200 hashes.txt rockyou.txt
Recent developments include the use of AI-driven password cracking (e.g., PassGAN) and attacks targeting hybrid Azure AD environments [CrowdStrike, 2024].
Detection and Mitigation
Effective detection requires correlating SIEM alerts with endpoint logs. Splunk queries for AS-REP roasting attempts might include:
index=windows EventCode=4768 Ticket_Encryption_Type=0x17 Pre_Auth_Type=0 ServiceName=krbtgt
| table TargetUserName, IpAddress
Mitigation strategies include:
- Enabling pre-authentication via PowerShell:
Set-ADAccountControl -Identity <user> -DoesNotRequirePreAuth $false. - Enforcing 25+ character passwords for service accounts [Specops, 2025].
- Disabling RC4 encryption in favor of AES-256 via Group Policy.
Relevance to Security Teams
For red teams, AS-REP roasting provides a low-noise method for initial access. Blue teams should prioritize auditing pre-auth settings and monitoring anomalous TGT requests. A case study from Netwrix [2025] demonstrated how a compromised account (happy.grunwald) led to domain admin escalation via this technique.
Conclusion
AS-REP roasting remains a persistent threat due to legacy misconfigurations. Organizations should audit Active Directory for accounts with pre-authentication disabled, enforce strong password policies, and monitor Kerberos events. Future trends may include increased exploitation of cloud Kerberos implementations and AI-enhanced cracking.
References
- MITRE ATT&CK T1558.004: Steal or Forge Kerberos Tickets: AS-REP Roasting. MITRE, 2024.
- CrowdStrike: Cloud Kerberos Attacks. 2024.
- Specops Software: Kerberos AS-REP Roasting Mitigation. 2025.
- Netwrix Demo: AS-REP Roasting Incident. 2025.
- Redbot Security: Unauthenticated AS-REP Roasting. 2023.
- Microsoft Docs: KRBTGT Password Rotation. 2025.
