Live Active security incident? Get immediate response
MITRE ATT&CK® Detection Strategy

DET0113: Detect AS-REP Roasting Attempts (T1558.004)

DET0113 is a detection strategy for AS-REP Roasting, a Windows Kerberos credential-access behavior where accounts without Kerberos preauthentication can ex...

EnterpriseDET0113Detection StrategyObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

DET0113 is a detection strategy for AS-REP Roasting, a Windows Kerberos credential-access behavior where accounts without Kerberos preauthentication can expose material for offline password cracking. For leaders, the practical issue is not just a log alert: it is whether Active Directory identity hygiene, domain controller telemetry, and SOC workflows can identify risky account configuration and suspicious Kerberos authentication activity before weak credentials become a broader incident.

Executive priority

Prioritize this as an identity and resilience control question: do any business-critical or privileged accounts have Kerberos preauthentication disabled, and can the organization prove monitoring around domain controller authentication activity? This supports incident readiness, audit evidence for identity controls, and vulnerability/risk prioritization for Active Directory environments. Because the supplied ATT&CK object has no official detection text, leadership should ask for environment-specific validation rather than assume coverage from the detection strategy name alone.

Technical view

The related ATT&CK technique is T1558.004 AS-REP Roasting under Credential Access on Windows. SOC and detection engineering teams should validate coverage around Kerberos authentication activity involving accounts with preauthentication disabled, especially on domain controllers and identity monitoring sources. Incident responders should be prepared to correlate suspicious Kerberos request patterns with account configuration, privilege level, password policy strength, and subsequent authentication activity. Since DET0113 does not provide an official detection procedure in the supplied fields, detection content should be tested and documented locally.

Likely telemetry

  • Domain controller security event logs related to Kerberos authentication
  • Active Directory account attributes indicating whether Kerberos preauthentication is required
  • Identity directory inventory for privileged, service, and business-critical accounts
  • Authentication patterns by source host, account, and time window
  • Password policy and account hygiene evidence relevant to offline cracking risk

Detection direction

  • Validate that domain controller Kerberos authentication telemetry is collected, retained, and searchable with account and source context.
  • Tune analytics around requests involving accounts with Kerberos preauthentication disabled, with higher priority for privileged or sensitive accounts.
  • Correlate potential AS-REP Roasting indicators with account configuration rather than treating Kerberos volume alone as conclusive.
  • Review false positives from legacy applications, service accounts, or administrative configurations that may legitimately have unusual Kerberos behavior.
  • Document detection assumptions and test results, because the supplied ATT&CK detection strategy contains no official detection logic.

Mitigation priorities

  • Inventory accounts with Kerberos preauthentication disabled and prioritize remediation for privileged, service, and high-business-impact accounts.
  • Review whether disabled preauthentication is still required; where not required, re-enable it through identity governance processes.
  • Strengthen password policy and credential hygiene for accounts that cannot immediately be remediated.
  • Ensure domain controller logging, identity monitoring, and SOC escalation paths are operational before relying on detection.
  • Use incident response playbooks to guide investigation of suspected credential-access activity and follow-on authentication attempts.
Analyst notes and limits

This take is based on DET0113 and its relationship to T1558.004 AS-REP Roasting. The most decision-useful angle is validation of Active Directory configuration and Kerberos telemetry, because the official object supplies no description or detection implementation details. Treat DET0113 as a prompt to verify identity exposure and monitoring readiness, not as evidence that a specific analytic exists or is effective in the local environment.

The supplied detection strategy has no official description, no official detection text, no tactics, and no platforms specified. Windows, Credential Access, and AS-REP Roasting context come from the related T1558.004 technique relationship. Local directory configuration, logging policy, and SIEM/EDR data availability are required to determine real coverage.

Official MITRE ATT&CK definition

Detect AS-REP Roasting Attempts (T1558.004)

No official description is available in the imported ATT&CK source object.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1558.004 AS-REP Roasting Sub-technique This object detects AS-REP Roasting.
Relationship explorer

All related ATT&CK context

detects · Technique T1558.004: AS-REP Roasting Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c15dfb3a1074ca00...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c15dfb3a1074…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack DET0113
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use