{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/as-rep-roasting/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Active Directory"],"_cs_severities":["medium"],"_cs_tags":["kerberos","credential-access","as-rep-roasting","active-directory","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies instances where the Kerberos pre-authentication requirement is disabled for a user account within an Active Directory environment. Attackers with \u003ccode\u003eGenericWrite\u003c/code\u003e or \u003ccode\u003eGenericAll\u003c/code\u003e permissions over a target account can modify the \u003ccode\u003eUserAccountControl\u003c/code\u003e attribute to disable pre-authentication. This configuration weakens the account\u0026rsquo;s security posture, making it vulnerable to AS-REP roasting attacks, where attackers can request Kerberos tickets and crack the password offline. The activity is logged as Event ID 4738 in the Windows Security Event Logs, specifically when the \u003ccode\u003eNewUACList\u003c/code\u003e includes the \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e flag. This poses a significant risk, especially if applied to privileged accounts, as it allows adversaries to potentially compromise credentials and escalate privileges within the domain. The detection is based on research and recommendations from Microsoft regarding Kerberos security best practices.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e An attacker gains unauthorized access to an account with sufficient privileges (e.g., Domain Admin, or an account with delegated permissions) to modify user account attributes in Active Directory.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker leverages their initial access to target a specific user account for which they intend to disable Kerberos pre-authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccount Modification:\u003c/strong\u003e The attacker modifies the \u003ccode\u003eUserAccountControl\u003c/code\u003e attribute of the target user account, specifically disabling the \u0026ldquo;Do not require pre-authentication\u0026rdquo; setting (setting the \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e flag). This is often done using tools like \u003ccode\u003eActive Directory Users and Computers\u003c/code\u003e or PowerShell cmdlets.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eEvent Logging:\u003c/strong\u003e The modification triggers a Windows Security Event Log event (Event ID 4738) on the Domain Controller, indicating that the user account attribute has been changed. The \u003ccode\u003eNewUACList\u003c/code\u003e field in the event data contains \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAS-REQ Request:\u003c/strong\u003e The attacker crafts an AS-REQ (Authentication Service Request) to the Kerberos Key Distribution Center (KDC) for the targeted user account. Since pre-authentication is disabled, the KDC processes the request without requiring pre-authentication.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAS-REP Response:\u003c/strong\u003e The KDC issues an AS-REP (Authentication Service Response) to the attacker, containing an encrypted Ticket Granting Ticket (TGT) for the targeted user account.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eOffline Cracking:\u003c/strong\u003e The attacker extracts the encrypted TGT from the AS-REP response and attempts to crack it offline using password cracking tools and techniques, such as hashcat or John the Ripper.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Access:\u003c/strong\u003e Upon successfully cracking the TGT, the attacker obtains the plaintext password for the targeted user account. This password can then be used for lateral movement, privilege escalation, and further malicious activities within the domain.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eCompromising user accounts through AS-REP roasting can have significant consequences. Attackers can gain unauthorized access to sensitive resources, escalate privileges, and move laterally within the network. Successful AS-REP roasting leads to credential compromise, which could result in data breaches, system compromise, and disruption of services. Organizations failing to monitor and prevent Kerberos pre-authentication disabling are at an increased risk of credential theft and subsequent exploitation, potentially affecting all systems within the compromised domain.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable \u0026ldquo;Audit User Account Management\u0026rdquo; and ensure Windows Security Event Logs (specifically Event ID 4738) are being collected and forwarded to your SIEM for analysis as described in the setup instructions linked in the rule source.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect Event ID 4738 events where the \u003ccode\u003eNewUACList\u003c/code\u003e contains \u003ccode\u003eUSER_DONT_REQUIRE_PREAUTH\u003c/code\u003e within your environment to identify potential AS-REP roasting vulnerabilities.\u003c/li\u003e\n\u003cli\u003eInvestigate any instances of disabled pre-authentication, especially on privileged accounts, following the triage steps outlined in the rule documentation.\u003c/li\u003e\n\u003cli\u003eEnforce the principle of least privilege by reviewing and restricting the privileges assigned to users and groups to prevent unauthorized modification of Active Directory user account attributes.\u003c/li\u003e\n\u003cli\u003eMonitor for suspicious Kerberos authentication patterns and investigate any anomalies that might indicate AS-REP roasting attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-28T12:00:00Z","date_published":"2024-01-28T12:00:00Z","id":"/briefs/2024-01-28-kerberos-preauth-disabled/","summary":"Detection of Kerberos pre-authentication being disabled for a user account, potentially leading to AS-REP roasting and offline password cracking by attackers with GenericWrite or GenericAll rights over the account.","title":"Kerberos Pre-authentication Disabled for User Account","url":"https://feed.craftedsignal.io/briefs/2024-01-28-kerberos-preauth-disabled/"}],"language":"en","title":"CraftedSignal Threat Feed — As-Rep-Roasting","version":"https://jsonfeed.org/version/1.1"}