Techniques
Sample rules
Potential AS-REP Roasting via Kerberos TGT Requests
- source: sigma
- technicques:
Description
Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.
Detection logic
condition: selection
selection:
EventID: 4768
Pre-AuthenticationType: 0
ServiceName: krbtgt
TicketEncryptionType: '0x17'