Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)
Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)
For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)
An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)
Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| PR.PS-01.06 | Encryption management practices | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement is associated with employing encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| PR.PS-01.07 | Cryptographic keys and certificates | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement protects against Steal or Forge Kerberos Tickets: AS-REP Roasting through the use of revocation of keys and key management. Employing key protection strategies for key material used in identity management and authentication processes, limitations to specific accounts along with access control mechanisms provides protection against adversaries trying to perform AS-REP Roasting.
References
|
| PR.AA-01.01 | Identity and credential management | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement protects against AS-REP Roasting through the use of hardened access control policies, secure defaults, password complexity requirements, multifactor authentication requirements, and removal of terminated accounts.
References
|
| PR.PS-01.05 | Encryption standards | Mitigates | T1558.004 | AS-REP Roasting |
Comments
This diagnostic statement is associated with employing strong encryption methods to mitigate unauthorized access or theft of data that protect the confidentiality and integrity of data-at-rest, data-in-use, and data-in-transit. To address threats to the theft or forgery of kerberos tickets through AS-REP Roasting, enable AES Kerberos encryption (or another stronger encryption algorithm), rather than RC4, where possible.
References
|
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Exploit misconfig | Exploit a misconfiguration (vs vuln or weakness) | related-to | T1558.004 | AS-REP Roasting | |
| action.hacking.variety.Use of stolen creds | Use of stolen or default authentication credentials (including credential stuffing) | related-to | T1558.004 | AS-REP Roasting | |
| action.malware.variety.Exploit misconfig | Exploit a misconfiguration (vs vuln or weakness) | related-to | T1558.004 | AS-REP Roasting |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| DEF-ID-E5 | Microsoft Defender for Identity | Technique Scores | T1558.004 | AS-REP Roasting |
Comments
This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.
Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique.
The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
References
|
| DEF-SECA-E3 | Security Alerts | Technique Scores | T1558.004 | AS-REP Roasting |
Comments
Microsoft Defender security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.
Defender security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:
Reconnaissance and discovery alerts
Persistence and privilege escalation alerts
Credential access alerts
Lateral movement alerts
Other alerts
License: A Microsoft 365 security product license entitles customer use
of Microsoft Defender XDR.
References
|
| EID-IDSS-E3 | Identity Secure Score | Technique Scores | T1558.004 | AS-REP Roasting |
Comments
This control's "Resolve unsecure account attributes" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication. Preauthentication offers protection against offline (Kerberos) Password Cracking.
Because this is a recommendation its score is capped as Partial.
References
|