During a recent proof of concept with a new customer, there was an interesting back and forth between our Blumira team and the customer testing our detections in a pentesting lab environment.
The customer was very impressed with the detections that were already in place — including our use of a honey account for kerberoasting — but one detection that we were lacking was the ability to test Authentication Server Response (AS-REP) roasting, a tactic that enables threat actors to retrieve — and later crack — users’ password hashes. Based on our customer’s request, we were able to create a detection built into Blumira’s platform to protect against that attack.
I won’t go too in depth into the inner workings of how kerberos authentication functions and how to successfully exploit it; you can find out more about that over here. (Spoiler alert: there’s a good handful of ways to exploit kerberos.) But I will discuss some ways to detect AS-REP roasting in your environment.
First, let’s go over the differences between kerberoasting and AS-REP roasting.
Kerberoasting vs. AS-REP Roasting
Kerberoasting is an enumeration attack on accounts in Active Directory using Microsoft’s service principal name (SPN) ticket function.
- A threat actor enumerates against Active Directory user accounts using an SPN ticket.
- The actor requests the Kerberos Ticket-Granting Service (TGS) Tickets for the SPNs gathered.
- The AD Domain Controller responds back with a ticket with the requested services, which are then stored in memory.
- The actor uses a tool to extract the hashes included in the response from memory.
AS-REP Roasting is an attack specifically against accounts that do not require pre-authentication. Active Directory requires pre-authentication by default, but this can be controlled on a per-user basis.
- A threat actor enumerates against Active Directory user accounts that do not require pre-authentication.
- A threat actor requests the Kerberos Ticket-Granting Ticket (TGT)
- The AD Domain Controller responds back with the TGT without requiring the account password as a pre-authentication.
- The actor uses a tool to extract the hashes from a captured packet
How To Detect AS-REP Roasting
One of the simpler detections can be focused around honey accounts — the same active deception technique that we use for our Kerberoasting detection.
Here you see our “YayNoPreauth” user account, being actively exploited with the ASREPRoast tool from harmj0y.
During this attack the following Event ID 4768 is generated with the following parameters:
- Event ID = 4768
- Ticket Encryption Type = 0x17
- Ticket Options = 0x40800010
- Service Name = krbtgt
Here’s what the finding looks like in Blumira’s platform:
How To Prevent AS-REP Roasting
As with any active deception technology, you should monitor more actively on honey accounts than on a normal account.
While it’s possible to perform this attack in some environments with active accounts, we highly recommend to require pre-authentication whenever possible. When you do not require pre-authentication, you should closely monitor all accounts and endpoints involved, as you can much more easily compromise those accounts. Never allow those accounts to be a member of any group that has elevated permissions.
To audit an environment for accounts that have the “no pre-authentication required” flag set, you can run the Powershell command:
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE
}
Crafting Detections With Blumira
Blumira’s incident detection engineers (IDEs) threat-hunt on your behalf, so you don’t have to. IDEs constantly develop rules based on threat-based research and observed attack paths. They emulate attacks in the lab, then craft detections based on threat actor behavior.
Our IDEs are open to new ideas for detections, based on customers’ needs — just like the customer who wanted to detect AS-REP. Meanwhile, our responsive security operations team is available for expertise and ongoing support to help you continuously improve your security coverage.
Try Blumira for free today to learn more about our solution. You can also give our free Domain Security Assessment a try. Sign up here for a comprehensive view of your publicly accessible assets and potential security gaps in minutes.
Amanda Berlin
Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...
More from the blog
View All PostsBlumira’s Customer Satisfaction Scores Maintain 100 Percent in Q2 2022
Read MoreHow Blumira Responded to a Real Exchange Attack
Read MoreBlumira Launches Detection Filters, Enabling Organizations to Easily Customize Detection Rules
Read MoreSubscribe to email updates
Stay up-to-date on what's happening at this blog and get additional content about the benefits of subscribing.