During a recent proof of concept with a new customer, there was an interesting back and forth between our Blumira team and the customer testing our detections in a pentesting lab environment.
The customer was very impressed with the detections that were already in place — including our use of a honey account for kerberoasting — but one detection that we were lacking was the ability to test Authentication Server Response (AS-REP) roasting, a tactic that enables threat actors to retrieve — and later crack — users’ password hashes. Based on our customer’s request, we were able to create a detection built into Blumira’s platform to protect against that attack.
I won’t go too in depth into the inner workings of how kerberos authentication functions and how to successfully exploit it; you can find out more about that over here. (Spoiler alert: there’s a good handful of ways to exploit kerberos.) But I will discuss some ways to detect AS-REP roasting in your environment.
First, let’s go over the differences between kerberoasting and AS-REP roasting.
Kerberoasting is an enumeration attack on accounts in Active Directory using Microsoft’s service principal name (SPN) ticket function.
AS-REP Roasting is an attack specifically against accounts that do not require pre-authentication. Active Directory requires pre-authentication by default, but this can be controlled on a per-user basis.
One of the simpler detections can be focused around honey accounts — the same active deception technique that we use for our Kerberoasting detection.
Here you see our “YayNoPreauth” user account, being actively exploited with the ASREPRoast tool from harmj0y.
During this attack the following Event ID 4768 is generated with the following parameters:
Here’s what the finding looks like in Blumira’s platform:
As with any active deception technology, you should monitor more actively on honey accounts than on a normal account.
While it’s possible to perform this attack in some environments with active accounts, we highly recommend to require pre-authentication whenever possible. When you do not require pre-authentication, you should closely monitor all accounts and endpoints involved, as you can much more easily compromise those accounts. Never allow those accounts to be a member of any group that has elevated permissions.
To audit an environment for accounts that have the “no pre-authentication required” flag set, you can run the Powershell command:
get-aduser -f * -pr DoesNotRequirePreAuth | where {$_.DoesNotRequirePreAuth -eq $TRUE}
Blumira’s incident detection engineers (IDEs) threat-hunt on your behalf, so you don’t have to. IDEs constantly develop rules based on threat-based research and observed attack paths. They emulate attacks in the lab, then craft detections based on threat actor behavior.
Our IDEs are open to new ideas for detections, based on customers’ needs — just like the customer who wanted to detect AS-REP. Meanwhile, our responsive security operations team is available for expertise and ongoing support to help you continuously improve your security coverage.
Try Blumira for free today to learn more about our solution. You can also give our free Domain Security Assessment a try. Sign up here for a comprehensive view of your publicly accessible assets and potential security gaps in minutes.
