QOMPLX Knowledge: Detecting ASREP Roasting Attacks

This is the latest in a series of posts we call “QOMPLX Knowledge.” These posts are intended to provide basic information and insights about the attack activity and trends that are driving malicious campaigns and that QOMPLX researchers encounter in our forensic work with customers.

Before cyber adversaries can compromise an IT environment, they need to gain a foothold on it. That means gaining control over an active account - whether highly privileged or not. From there, skilled adversaries can exploit known vulnerabilities or take advantage of security and configuration lapses to elevate their level of access and move on to higher value IT assets up to- and including the domain controller.

AS_REP Roasting is a variation of a Kerberos ticket forgery attack that is commonly used to expose credentials for user and service accounts and give attackers a toehold within a compromised environment. In this post, we’re taking a look at how QOMPLX’s technology helps customers to spot AS_REP Roasting attacks.

Key Points:

  • AS_REP Roasting is a common, pervasive attack that exploits a combination of weak encryption, poor password hygiene and loose Active Directory security configurations
  • AS_REP Roasting targets the Authentication Service Response (AS_REP) stage of the Kerberos authentication “handshake.”
  • For accounts with the Do not require Kerberos preauthentication option attackers can request authentication data for any user and receive an encrypted TGT (AS_REP) containing hashes for the service account credentials for cracking (“roasting”) offline.
  • AS_REP Roasting is effective because an attacker does not require domain administrator credentials to pull off this attack and can extract service account credential hashes without sending packets to the target system, frustrating monitoring.

How AS_REP Roasting Works:

Pre-authentication is a standard feature of the Kerberos “handshake.” In most exchanges, a user submits their password as part of a Kerberos Authentication Service Request (AS_REQ). This is used to encrypt a timestamp that the Domain Controller decrypts and verifies to confirm  that AS_REQ is not simply a previous request that is being “replayed” as part of an attack.

Pre-authentication is required by default in Active Directory, but the option can be disabled for an individual user account, opening an avenue of attack. An attacker with knowledge of which accounts have the pre-authentication flag disabled can request authentication data for that user and receive an encrypted TGT (ASREP) from the Domain Controller that can be brute-forced offline, revealing the account credentials.

QOMPLX Detection:

QOMPLX Identity Assurance (IA) detects AS_REP Roasting attacks by looking for spikes in Kerberos authentication requests that are associated with accounts for which the Do not require Kerberos preauthentication option has been enabled. False positives could be triggered in environments with a large number of users that have the Do not require Kerberos preauthentication option enabled. However, security best practices are to disable this option and require pre-authentication for all user and service accounts.

Additional Reading:

QOMPLX Knowledge Series

QOMPLX Detections Reference