Detects AS-REP roasting attempts by monitoring for Kerberos AS-REQ/AS-REP authentication patterns where preauthentication is disabled (Event ID 4768 with Pre-Auth Type 0). Correlates these requests with subsequent service ticket activity (Event ID 4769) and anomalies such as requests using weak RC4 encryption (etype 0x17). Excessive enumeration of accounts with 'Do not require Kerberos preauthentication' set in Active Directory is another key detection point.
| Data Component | Name | Channel |
|---|---|---|
| Active Directory Credential Request (DC0084) | WinEventLog:Security | EventCode=4768 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| PreAuthDisabledAccountsBaseline | Baseline of accounts legitimately configured without Kerberos preauthentication; deviations may indicate adversary enumeration. |
| TGTRequestThreshold | Number of AS-REQ/AS-REP exchanges per account within a short timeframe; higher counts may indicate AS-REP roasting. |
| AllowedEncryptionTypes | Permitted Kerberos encryption algorithms; RC4 usage (etype 0x17) should be closely monitored. |
| TimeWindow | Correlation window for linking AS-REQs, AS-REPs, and subsequent service ticket requests. |