Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)
Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)
For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)
An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)
Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)
View in MITRE ATT&CK®Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
---|---|---|---|---|---|
AC-16 | Security and Privacy Attributes | Protects | T1558.004 | AS-REP Roasting | |
AC-17 | Remote Access | Protects | T1558.004 | AS-REP Roasting | |
AC-18 | Wireless Access | Protects | T1558.004 | AS-REP Roasting | |
AC-19 | Access Control for Mobile Devices | Protects | T1558.004 | AS-REP Roasting | |
AC-2 | Account Management | Protects | T1558.004 | AS-REP Roasting | |
AC-3 | Access Enforcement | Protects | T1558.004 | AS-REP Roasting | |
CA-7 | Continuous Monitoring | Protects | T1558.004 | AS-REP Roasting | |
CA-8 | Penetration Testing | Protects | T1558.004 | AS-REP Roasting | |
CM-2 | Baseline Configuration | Protects | T1558.004 | AS-REP Roasting | |
CM-6 | Configuration Settings | Protects | T1558.004 | AS-REP Roasting | |
IA-2 | Identification and Authentication (organizational Users) | Protects | T1558.004 | AS-REP Roasting | |
IA-5 | Authenticator Management | Protects | T1558.004 | AS-REP Roasting | |
RA-5 | Vulnerability Monitoring and Scanning | Protects | T1558.004 | AS-REP Roasting | |
SA-11 | Developer Testing and Evaluation | Protects | T1558.004 | AS-REP Roasting | |
SA-15 | Development Process, Standards, and Tools | Protects | T1558.004 | AS-REP Roasting | |
SC-4 | Information in Shared System Resources | Protects | T1558.004 | AS-REP Roasting | |
SI-12 | Information Management and Retention | Protects | T1558.004 | AS-REP Roasting | |
SI-3 | Malicious Code Protection | Protects | T1558.004 | AS-REP Roasting | |
SI-4 | System Monitoring | Protects | T1558.004 | AS-REP Roasting | |
SI-7 | Software, Firmware, and Information Integrity | Protects | T1558.004 | AS-REP Roasting | |
microsoft_defender_for_identity | Microsoft Defender for Identity | technique_scores | T1558.004 | AS-REP Roasting |
Comments
This control's "Suspected Kerberos SPN exposure (external ID 2410)" alert is able to detect when an attacker use tools to enumerate service accounts and their respective SPNs (Service principal names), request a Kerberos service ticket for the services, capture the Ticket Granting Service (TGS) tickets from memory and extract their hashes, and save them for later use in an offline brute force attack.
Similarly its "Suspected AS-REP Roasting attack (external ID 2412)" alert is able to detect AS-REP Roasting sub-technique.
The accuracy of these alerts is unknown and therefore its score has been assessed as Partial.
References
|
azure_ad_identity_secure_score | Azure AD Identity Secure Score | technique_scores | T1558.004 | AS-REP Roasting |
Comments
This control's "Resolve unsecure account attributes" recommendation can lead to detecting Active Directory accounts which do not require Kerberos preauthentication. Preauthentication offers protection against offline (Kerberos) Password Cracking.
Because this is a recommendation its score is capped as Partial.
References
|