What is AS-REP Roasting?

What is AS-REP Roasting?
How to defend against AS-REP Roasting
How to detect AS-REP Roasting
Threat actors
AS-REP Roasting tools
Threat overview
Semperis snapshot
Additional resources
Endnotes

Huy Kha | Senior Identity & Security Architect

Authentication Server Response (AS-REP) Roasting enables attackers to request encrypted authentication responses for accounts in Active Directory that have Kerberos pre-authentication disabled. AS-REP Roasting is one of the Active Directory threats that cybersecurity agencies in the Five Eyes alliance warn about in the recent report, Detecting and Mitigating Active Directory Compromises.

The key tactic in an AS-REP Roasting attack revolves around having Kerberos pre-authentication disabled. In that scenario, an attacker doesn’t need the user’s password to get an authentication response (Figure 1). Once the attacker has the response, they can attempt to crack it offline to retrieve the user’s plaintext password.

*Figure 1. An AS-REP Roasting attack in action*

How can you defend against AP-REP Roasting?

Defenders can use the free Purple Knight tool to identify Active Directory accounts that have Kerberos pre-authentication disabled (Figure 2). After identifying these vulnerable accounts, defenders should determine whether pre-authentication can be enabled to reduce the risk of attacks like AS-REP Roasting.

*Figure 2. Purple Knight security indicator identifying users that have Kerberos pre-authentication disabled*

Purple Knight can provide a list of the accounts that have Kerberos pre-authentication disabled (Figure 3). The next step is to assess whether each account genuinely requires this setting to be disabled.

*Figure 3. Reviewing accounts that might be vulnerable to AS-REP Roasting*

In this example, I ran a PowerShell script to process a list of the user accounts that have Kerberos pre-authentication disabled, automatically enabling pre-authentication to mitigate the threat of AS-REP Roasting (Figure 4). In practice, you should always determine why pre-authentication is disabled and verify that it can be enabled for each account before making changes.

*Figure 4. PowerShell script enabling Kerberos pre-authentication*

Note the increase in security score after enabling Kerberos pre-authentication (Figure 5).

*Figure 5. Enabling Kerberos pre-authentication mitigated the vulnerability and improved the security score*

Note that Purple Knight provides a point-in-time snapshot of potential vulnerabilities. For ongoing defense, Semperis Directory Services Protector (DSP) features a security indicator that continuously monitors for users with disabled Kerberos pre-authentication, which is necessary for an attacker to carry out an AS-REP Roasting attack (Figure 6). By monitoring unexpected accounts with disabled pre-authentication, defenders can proactively prevent potential AS-REP Roasting attempts.

*Figure 6. Semperis DSP security indicator showing accounts with disabled Kerberos pre-authentication*

How can you detect an AS-REP Roasting attack?

Defenders can detect AS-REP Roasting by monitoring event ID 4768 (Figure 7). Look for a Pre-Authentication Type of 0, meaning disabled. Also watch for a Service Name of krbtgt; Kerberos manages authentication in Active Directory. Lastly, look for a Ticket Encryption Type of 0x17 (RC4), which indicates the use of a weaker encryption method.

*Figure 7. Monitor event ID 4768 for signs of AS-REP Roasting*

Threat actor profiles

The following threat actors have been known to launch AS-REP Roasting attacks in the wild.

BlackSuit¹
Diavol (MITRE ATT&CK Software S0659)²

AS-REP Roasting tools

The following public tools and scripts, which are available on github.com, can be used to perform an AS-REP Roasting attack and have been observed in use during real-world incidents.

GhostPack/Rubeus
HarmJ0y/ASREPRoast

AS-REP Roasting threat overview

ATT&CK Tactic: Credential Access
On August 26, 2024, The DFIR Report revealed that the BlackSuit ransomware gang used AS-REP Roasting in its attacks. The group targeted accounts with Kerberos pre-authentication disabled to capture and crack authentication responses, which provided access to user passwords.³

On December 13, 2021, The DFIR Report detailed how the Diavol ransomware gang used AS-REP Roasting in its attacks. The gang targeted accounts with Kerberos pre-authentication disabled, capturing encrypted authentication responses. The group then cracked those responses offline to retrieve plaintext passwords.⁴

Semperis snapshot

AS-REP Roasting remains a relevant technique for attackers, targeting Active Directory accounts with Kerberos pre-authentication disabled. By cracking encrypted authentication responses offline, attackers can escalate privileges and gain access to higher-privileged accounts. To defend against AS-REP Roasting, organizations must ensure that Kerberos pre-authentication is enabled for all accounts, apply strong password policies, and regularly monitor for abnormal authentication behavior.

New Forrester TEI Report: Semperis Slashes Downtime by 90%, Saving Customers Millions

Semperis Extends ML-Based Attack Detection with Specialized Identity Risk Focus

Semperis Wins CRN’s Prestigious Partner Program Guide Three Consecutive Years

Semperis Ransomware Study Reveals 86% of Ransomware Victims Targeted on a Weekend or Holiday

Semperis Named to Inc. Magazine’s Annual List of Best Workplaces for Third Consecutive Year

AS-REP Roasting Explained