Detectionmediumexperimental
Potential AS-REP Roasting via Kerberos TGT Requests
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Windowssecurity
ProductWindows← raw: windows
Servicesecurity← raw: security
Detection Logic
Detection Logic1 selector
detection:
selection:
EventID: 4768
TicketEncryptionType: '0x17'
ServiceName: 'krbtgt'
PreAuthType: 0
condition: selectionFalse Positives
Legacy systems or applications that legitimately use RC4 encryption
Misconfigured accounts with pre-authentication disabled
Rule Metadata
Rule ID
3e2f1b2c-4d5e-11ee-be56-0242ac120002
Status
experimental
Level
medium
Type
Detection
Created
Thu May 22
Modified
Fri Jul 04
Author
Path
rules/windows/builtin/security/win_security_kerberos_asrep_roasting.yml