• QOMPLX Knowledge
  • Jun 18, 2021
  • By QOMPLX

QOMPLX Knowledge: Detecting ASREP Roasting Attacks

QOMPLX Knowledge: Detecting ASREP Roasting Attacks

This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Before cyber adversaries can compromise an IT environment, they need to gain a foothold on it. That means gaining control over an active account - whether highly privileged or not. From there, skilled adversaries can exploit known vulnerabilities or take advantage of security and configuration lapses to elevate their level of access and move on to higher value IT assets up to- and including the domain controller.

AS_REP Roasting is a variation of a Kerberos ticket forgery attack that is commonly used to expose credentials for user and service accounts and give attackers a toehold within a compromised environment. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot AS_REP Roasting attacks.

Key Points:

  • AS_REP Roasting is a common, pervasive attack that exploits a combination of weak encryption, poor password hygiene and loose Active Directory security configurations
  • AS_REP Roasting targets the Authentication Service Response (AS_REP) stage of the Kerberos authentication “handshake.”
  • For accounts with the Do not require Kerberos preauthentication option attackers can request authentication data for any user and receive an encrypted TGT (AS_REP) containing hashes for the service account credentials for cracking (“roasting”) offline.
  • AS_REP Roasting is effective because an attacker does not require domain administrator credentials to pull off this attack and can extract service account credential hashes without sending packets to the target system, frustrating monitoring.

How AS_REP Roasting Works:

Pre-authentication is a standard feature of the Kerberos “handshake.” In most exchanges, a user submits their password as part of a Kerberos Authentication Service Request (AS_REQ). This is used to encrypt a timestamp that the Domain Controller decrypts and verifies to confirm  that AS_REQ is not simply a previous request that is being “replayed” as part of an attack.

Pre-authentication is required by default in Active Directory, but the option can be disabled for an individual user account, opening an avenue of attack. An attacker with knowledge of which accounts have the pre-authentication flag disabled can request authentication data for that user and receive an encrypted TGT (ASREP) from the Domain Controller that can be brute-forced offline, revealing the account credentials.

QOMPLX Detection:

QOMPLX Identity Assurance (IA) detects AS_REP Roasting attacks by looking for spikes in Kerberos authentication requests that are associated with accounts for which the Do not require Kerberos preauthentication option has been enabled. False positives could be triggered in environments with a large number of users that have the Do not require Kerberos preauthentication option enabled. However, security best practices are to disable this option and require pre-authentication for all user and service accounts.

Additional Reading:

QOMPLX Knowledge Series

QOMPLX Detections Reference

You might also be interested in

Lessons from the Medibank breach

Lessons from the Medibank breach

Ming Fu, a member of the Americas Pre-Sales Engineering Team at QOMPLX, looks at the much publicized Medibank breach in Australia last year, and draws a few much needed lessons based on the published findings of this breach.

Read more
IcedID Malware Gaining Prominence by Adding Identity Attack Chains

IcedID Malware Gaining Prominence by Adding Identity Attack Chains

Brian Freedman, WW Director of Solution Architecture highlights how identity controls are necessary tools, along with EDR, to combat evolving malware threats that have been expanding to include identity compromise as a primary objective in their attack strategies.

Read more
QOMPLX Knowledge: OverPass The Hash Attacks

QOMPLX Knowledge: OverPass The Hash Attacks

OverPass The Hash (OPtH) is a form of credential theft- and reuse attack that is one of the most common methods of lateral movement within compromised IT environments.

Read more
Request a Demo

Interested in learning more?

Subscribe today to stay informed and get regular updates from QOMPLX.