How AS-REP Roasting Exploits Active Directory and Ways to Stop It

AS-REP Roasting is an attack method targeting Active Directory user objects that don’t require Kerberos pre-authentication. Unlike Kerberoasting, where service tickets are the focus, AS-REP Roasting lets attackers—using even unprivileged accounts—send Authentication Server Requests (AS-REQ) for users with pre-authentication disabled. The returned Authentication Server Response (AS-REP) is encrypted using the user’s password hash. Once obtained, attackers can brute-force this hash offline to recover the cleartext password and authenticate as that user.

Threat actors often launch AS-REP Roasting soon after initial access to escalate privileges or pivot within the network. This technique exploits misconfigurations often left behind to support outdated systems or legacy authentication protocols.

Scripts commonly used to automate AS-REP Roasting include tools like Rubeus (with the /asreproast flag) and Impacket modules that can mass-query Active Directory for vulnerable users and dump AS-REP hashes for cracking.

Mitigating AS-REP Roasting

To harden your Active Directory environment against this attack:

• Require Kerberos pre-authentication for all user accounts. This setting is enabled by default but may be disabled for legacy support.
• Apply least privilege to any account needing to bypass pre-auth, ensuring it doesn’t belong to critical groups like Domain Admins.
• Use strong passwords: At least 30 characters for service accounts and 15 for user accounts, with uniqueness and randomness.

These measures reduce the risk of AS-REP Roasting by eliminating easy targets and strengthening credentials.

Detecting AS-REP Roasting

Since AS-REP Roasting mimics legitimate Kerberos traffic, detection can be tricky. However, monitoring for specific event patterns helps identify unusual behavior. Look out for bulk TGT requests targeting users with pre-authentication disabled, especially in short bursts.

Key Event IDs to Monitor

Event ID	Source	Description
4625	Domain Controllers	Failed login attempt. Indicates an unauthenticated AS-REP ticket retrieval. Not always present if attacker has valid creds.
4738, 5136	Domain Controllers	Account modified. May reflect changes to Kerberos pre-auth setting, often toggled before/after AS-REP extraction.
4768	Domain Controllers	TGT request. High volume targeting non-pre-auth accounts may indicate AS-REP Roasting in progress.
4769	Domain Controllers	TGS request. Look for 0x17 (RC4 encryption), often used due to ease of cracking the resulting ticket hashes.

Correlate these events over a time window to detect suspicious patterns resembling roasting attacks.

AS-REP Roasting preys on outdated configurations that should have been retired with your flip phones. If you’re still keeping accounts around without Kerberos pre-authentication, you’re handing out candy to attackers. Lock it down, monitor smartly, and let your SIEM do the roasting—of the logs, not your directory.