EXPLORE
Sign In
← Back to Explore
T1558.004

AS-REP Roasting

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Reques...

Windows
8
Detections
2
Sources
0
Threat Actors

BY SOURCE

6splunk_escu2elastic

PROCEDURES (6)

Script Block2 detections

Auto-extracted: 2 detections for script block

Lateral2 detections

Auto-extracted: 2 detections for lateral

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Brute Force1 detections

Auto-extracted: 1 detections for brute force

Authentication Monitoring1 detections

Auto-extracted: 1 detections for authentication monitoring

Network Connection Monitoring1 detections

Auto-extracted: 1 detections for network connection monitoring

DETECTIONS (8)

Disabled Kerberos Pre-Authentication Discovery With Get-ADUser
splunk_escu
Disabled Kerberos Pre-Authentication Discovery With PowerView
splunk_escu
Kerberos Pre-authentication Disabled for User
elasticmedium
Kerberos Pre-Authentication Flag Disabled in UserAccountControl
splunk_escu
Kerberos Pre-Authentication Flag Disabled with PowerShell
splunk_escu
Rubeus Command Line Parameters
splunk_escu
Suspicious Kerberos Authentication Ticket Request
elastichigh
Windows Process With NetExec Command Line Parameters
splunk_escu