Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN0316: Analytic 0316

Detects AS-REP roasting attempts by monitoring for Kerberos AS-REQ/AS-REP authentication patterns where preauthentication is disabled (Event ID 4768 with Pre-Auth Type 0). Correlates these requests with subsequent service ticket activity (Event ID 4769) and anomalies such as requests using weak RC4 encryption (etype 0x17). Excessive enumeration of accounts with 'Do not require Kerberos preauthentication' set in Active Directory is another key detection point.

EnterpriseAN0316AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because AS-REP roasting targets Active Directory accounts that do not require Kerberos preauthentication, creating an identity risk that can undermine business systems dependent on Windows domain authentication. For leaders, the practical question is whether the organization can identify accounts with this risky setting and see Kerberos authentication patterns that suggest those accounts are being enumerated or targeted.

Executive priority

Prioritize this as an identity and SOC readiness validation item for Windows/Active Directory environments. It supports decisions about hardening privileged or sensitive accounts, proving audit control over Kerberos configuration, and ensuring incident responders have the domain controller logs needed to investigate suspected credential access activity. The main business value is reducing avoidable exposure from misconfigured accounts and improving confidence that the SOC can detect suspicious Kerberos authentication behavior.

Technical view

Validate collection and analysis of Windows domain controller Kerberos events, especially Event ID 4768 where Pre-Auth Type is 0, correlated with Event ID 4769 service ticket activity. Review whether detections account for weak RC4 encryption indicators such as etype 0x17 and for excessive enumeration of accounts configured with 'Do not require Kerberos preauthentication' in Active Directory. Because no ATT&CK detection logic or relationships were supplied, teams should treat this as a detection design requirement rather than a confirmed rule.

Likely telemetry

  • Windows domain controller security logs
  • Kerberos AS-REQ/AS-REP authentication events, especially Event ID 4768
  • Kerberos service ticket events, especially Event ID 4769
  • Pre-Auth Type values, including Pre-Auth Type 0
  • Kerberos encryption type values, including RC4 etype 0x17

Detection direction

  • Confirm Event ID 4768 and 4769 are collected from relevant Windows domain controllers with fields needed for account, source, preauthentication type, and encryption type analysis.
  • Tune for suspicious volume or breadth of requests involving accounts with preauthentication disabled rather than alerting on every legitimate Pre-Auth Type 0 occurrence.
  • Correlate AS-REQ/AS-REP patterns with subsequent service ticket activity to improve context and reduce noise.
  • Flag use of weak RC4 encryption indicators where present, while validating expected legacy dependencies before escalating severity.
  • Maintain an inventory or queryable view of accounts with 'Do not require Kerberos preauthentication' enabled so detection can distinguish known exceptions from new or unexpected exposure.

Mitigation priorities

  • Identify and review Active Directory accounts configured with 'Do not require Kerberos preauthentication'.
  • Remove the preauthentication exception where it is not required, prioritizing privileged, service, administrative, and business-critical accounts.
  • Reduce reliance on weak Kerberos encryption where feasible, including RC4 exposure identified in the analytic description.
  • Ensure domain controller security logging and retention support investigation of Event ID 4768 and 4769 activity.
  • Create operational runbooks for SOC and incident response teams covering validation of suspicious Kerberos authentication patterns and account configuration review.
Analyst notes and limits

This is an ATT&CK detection analytic for Windows focused on Kerberos AS-REP roasting indicators. The strongest defensive value is combining configuration review of preauthentication-disabled accounts with domain controller event monitoring. No tactic mapping, technique relationship, or official detection query was supplied, so local implementation must define thresholds, enrichment, and escalation criteria.

The supplied object has no official detection field, no relationship context, and no ATT&CK tactics specified. This take is therefore limited to the official description, platform, external reference, and object metadata. It does not establish that exploitation is occurring, that any specific adversary uses the behavior, or that a given environment has detection coverage.

Official MITRE ATT&CK definition

Analytic 0316

Detects AS-REP roasting attempts by monitoring for Kerberos AS-REQ/AS-REP authentication patterns where preauthentication is disabled (Event ID 4768 with Pre-Auth Type 0). Correlates these requests with subsequent service ticket activity (Event ID 4769) and anomalies such as requests using weak RC4 encryption (etype 0x17). Excessive enumeration of accounts with 'Do not require Kerberos preauthentication' set in Active Directory is another key detection point.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
9c6e951ee23cc4e2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 9c6e951ee23c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN0316
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use