T1558.004 AS-REP Roasting Mappings

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017)

Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014)

For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019)

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.(Citation: SANS Attacking Kerberos Nov 2014)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
AC-16 Security and Privacy Attributes Protects T1558.004 AS-REP Roasting
AC-17 Remote Access Protects T1558.004 AS-REP Roasting
AC-18 Wireless Access Protects T1558.004 AS-REP Roasting
AC-19 Access Control for Mobile Devices Protects T1558.004 AS-REP Roasting
AC-2 Account Management Protects T1558.004 AS-REP Roasting
AC-3 Access Enforcement Protects T1558.004 AS-REP Roasting
CA-7 Continuous Monitoring Protects T1558.004 AS-REP Roasting
CA-8 Penetration Testing Protects T1558.004 AS-REP Roasting
CM-2 Baseline Configuration Protects T1558.004 AS-REP Roasting
CM-6 Configuration Settings Protects T1558.004 AS-REP Roasting
IA-2 Identification and Authentication (organizational Users) Protects T1558.004 AS-REP Roasting
IA-5 Authenticator Management Protects T1558.004 AS-REP Roasting
RA-5 Vulnerability Monitoring and Scanning Protects T1558.004 AS-REP Roasting
SA-11 Developer Testing and Evaluation Protects T1558.004 AS-REP Roasting
SA-15 Development Process, Standards, and Tools Protects T1558.004 AS-REP Roasting
SC-4 Information in Shared System Resources Protects T1558.004 AS-REP Roasting
SI-12 Information Management and Retention Protects T1558.004 AS-REP Roasting
SI-3 Malicious Code Protection Protects T1558.004 AS-REP Roasting
SI-4 System Monitoring Protects T1558.004 AS-REP Roasting
SI-7 Software, Firmware, and Information Integrity Protects T1558.004 AS-REP Roasting
action.hacking.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.hacking.variety.Use of stolen creds Use of stolen authentication credentials (including credential stuffing) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting
action.malware.variety.Exploit misconfig Exploit a misconfiguration (vs vuln or weakness) related-to T1558.004 Steal or Forge Kerberos Tickets: AS-REP Roasting