misconfigured accounts with pre-authentication disabled

windows
sigma

Techniques

Sample rules

Potential AS-REP Roasting via Kerberos TGT Requests

source: sigma
technicques:

Description

Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.

Detection logic

condition: selection
selection:
  EventID: 4768
  Pre-AuthenticationType: 0
  ServiceName: krbtgt
  TicketEncryptionType: '0x17'