Potential AS-REP Roasting via Kerberos TGT Requests

Severity: medium
Author: ANosir
Source: upstream

Detects suspicious Kerberos TGT requests with pre-authentication disabled (Pre-Authentication Type = 0) and Ticket Encryption Type (0x17) i.e, RC4-HMAC. This may indicate an AS-REP Roasting attack, where attackers request AS-REP messages for accounts without pre-authentication and attempt to crack the encrypted ticket offline to recover user passwords.

Event coverage

Provider	Event ID	Title
Security-Auditing	4768	A Kerberos authentication ticket (TGT) was requested.

Stages and Predicates

Stage 1: `selection`

PreAuthType: 0
ServiceName: krbtgt
TicketEncryptionType: 0x17

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`PreAuthType`	eq	`0`
`ServiceName`	eq	`krbtgt`
`TicketEncryptionType`	eq	`0x17` corpus 7 (splunk 4, sigma 3)

Potential AS-REP Roasting via Kerberos TGT Requests

Event coverage

Stages and Predicates

Stage 1: selection

Indicators

Stage 1: `selection`