T1558.004: AS-REP Roasting

AS-REP Roasting matters because a single Active Directory account with Kerberos preauthentication disabled can expose password-derived material for offline cracking. For leaders, this is an identity hygiene issue: weak configuration and weak passwords can turn normal domain authentication behavior into a path toward valid account access, persistence, privilege escalation, and lateral movement.

Executive priority

Prioritize this as part of Active Directory risk reduction and audit readiness. Security leaders should ask whether any domain accounts are allowed to authenticate without Kerberos preauthentication, whether password policy strength is sufficient to withstand offline cracking, and whether domain controller auditing can prove the organization would see suspicious Kerberos ticket requests. This is especially important for privileged, service, legacy, or exception-based accounts.

Technical view

This is a Windows enterprise credential-access sub-technique under Steal or Forge Kerberos Tickets. Defenders should validate exposure by auditing accounts with preauthentication disabled and reviewing Kerberos authentication activity from domain controllers. The supplied relationship context identifies DET0113, Detect AS-REP Roasting Attempts, and Rubeus as related software. Detection engineering should focus on Kerberos TGT request evidence, LDAP discovery of accounts with preauthentication disabled, unusual request patterns across many users, and suspicious Windows/PowerShell activity where LDAP filters are used to enumerate account settings.

Likely telemetry

Windows domain controller Kerberos authentication logs, especially TGT request events such as Microsoft event 4768
Account configuration data showing whether Kerberos preauthentication is disabled
LDAP query activity against Active Directory account attributes
Windows PowerShell or command execution logs where account enumeration may occur
Authentication failures or unusual AS-REQ/AS-REP request patterns across multiple users

Detection direction

Validate whether DET0113-style logic is implemented and tested against local domain controller telemetry.
Hunt for accounts with preauthentication disabled, then prioritize monitoring around those accounts.
Review Kerberos TGT requests for unusual volume, user enumeration patterns, or requests associated with accounts that do not require preauthentication.
Correlate Kerberos activity with LDAP enumeration and PowerShell execution where available.
Tune carefully for administrative inventory, identity governance scans, or legitimate audit tools to reduce false positives.

Mitigation priorities

Remove unnecessary exceptions by enabling Kerberos preauthentication on domain accounts wherever operationally possible.
Apply strong password policies consistent with M1027, especially for accounts that cannot immediately be remediated.
Audit account configuration and authentication logs regularly, consistent with M1047, and retain evidence for compliance and incident response.
Review Kerberos encryption posture and reduce reliance on insecure algorithms where supported by the environment.
Prioritize privileged, service, and legacy accounts for remediation because cracked credentials may enable valid-account access and follow-on movement.

Analyst notes and limits

The business value is in confirming both exposure and observability: which accounts are roastable, whether passwords are resilient, and whether the SOC can identify suspicious Kerberos requests from domain controller logs. Relationship context links this behavior to the broader Kerberos ticket abuse technique T1558 and to Rubeus as related Windows software.

MITRE did not provide an official detection section for this object. Recommendations are derived from the official description, external references, and supplied relationships. Local Active Directory design, legacy application requirements, audit policy, and log retention determine actual risk and detection feasibility.

Official MITRE ATT&CK definition

AS-REP Roasting

Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by Password Cracking Kerberos messages.[1]

Preauthentication offers protection against offline Password Cracking. When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.[2]

For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline Password Cracking attacks similarly to Kerberoasting and expose plaintext credentials. [1][3]

An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like PowerShell with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. [1][3]

Cracked hashes may enable Persistence, Privilege Escalation, and Lateral Movement via access to Valid Accounts.[4]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 1 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1558	Steal or Forge Kerberos Tickets	This object subtechnique of Steal or Forge Kerberos Tickets.

Associated objects

Groups, software, and campaigns

S1071: Rubeus

Rubeus is a C# toolset designed for raw Kerberos interaction that has been used since at least 2020, including in ransomware operations.[1][2][3][4]

Windows

Relationship explorer

All related ATT&CK context

mitigates · Mitigation M1047: Audit Enterprise mitigates · Mitigation M1027: Password Policies Enterprise detects · Detection Strategy DET0113: Detect AS-REP Roasting Attempts (T1558.004) Enterprise uses · Tool S1071: Rubeus Enterprise mitigates · Mitigation M1041: Encrypt Sensitive Information Enterprise subtechnique of · Technique T1558: Steal or Forge Kerberos Tickets Enterprise

Mitigations

Mitigation direction

M1047: Audit

Auditing is the process of recording activity and systematically reviewing and analyzing the activity and system configurations. The primary purpose of auditing is to detect anomalies and identify potential threats or weaknesses in the environment. Proper auditing configurations can also help to meet compliance requirements. The process of auditing encompasses regular analysis of user behaviors and system logs in support of proactive security measures.

Auditing is applicable to all systems used within an organization, from the front door of a building to accessing a file on a fileserver. It is considered more critical for regulated industries such as, healthcare, finance and government where compliance requirements demand stringent tracking of user and system activates.This mitigation can be implemented through the following measures:

System Audit:

- Use Case: Regularly assess system configurations to ensure compliance with organizational security policies. - Implementation: Use tools to scan for deviations from established benchmarks.

Permission Audits:

- Use Case: Review file and folder permissions to minimize the risk of unauthorized access or privilege escalation. - Implementation: Run access reviews to identify users or groups with excessive permissions.

Software Audits:

- Use Case: Identify outdated, unsupported, or insecure software that could serve as an attack vector. - Implementation: Use inventory and vulnerability scanning tools to detect outdated versions and recommend secure alternatives.

Configuration Audits:

- Use Case: Evaluate system and network configurations to ensure secure settings (e.g., disabled SMBv1, enabled MFA). - Implementation: Implement automated configuration scanning tools like SCAP (Security Content Automation Protocol) to identify non-compliant systems.

Network Audits:

- Use Case: Examine network traffic, firewall rules, and endpoint communications to identify unauthorized or insecure connections. - Implementation: Utilize tools such as Wireshark, or Zeek to monitor and log suspicious network behavior.

M1027: Password Policies

Set and enforce secure password policies for accounts to reduce the likelihood of unauthorized access. Strong password policies include enforcing password complexity, requiring regular password changes, and preventing password reuse. This mitigation can be implemented through the following measures:

Windows Systems:

- Use Group Policy Management Console (GPMC) to configure: - Minimum password length (e.g., 12+ characters). - Password complexity requirements. - Password history (e.g., disallow last 24 passwords). - Account lockout duration and thresholds.

Linux Systems:

- Configure Pluggable Authentication Modules (PAM): - Use `pam_pwquality` to enforce complexity and length requirements. - Implement `pam_tally2` or `pam_faillock` for account lockouts. - Use `pwunconv` to disable password reuse.

Password Managers:

- Enforce usage of enterprise password managers (e.g., Bitwarden, 1Password, LastPass) to generate and store strong passwords.

Password Blacklisting:

- Use tools like Have I Been Pwned password checks or NIST-based blacklist solutions to prevent users from setting compromised passwords.

Regular Auditing:

- Periodically audit password policies and account configurations to ensure compliance using tools like LAPS (Local Admin Password Solution) and vulnerability scanners.

*Tools for Implementation*

Windows:

- Group Policy Management Console (GPMC): Enforce password policies. - Microsoft Local Administrator Password Solution (LAPS): Enforce random, unique admin passwords.

Linux/macOS:

- PAM Modules (pam_pwquality, pam_tally2, pam_faillock): Enforce password rules. - Lynis: Audit password policies and system configurations.

Cross-Platform:

- Password Managers (Bitwarden, 1Password, KeePass): Manage and enforce strong passwords. - Have I Been Pwned API: Prevent the use of breached passwords. - NIST SP 800-63B compliant tools: Enforce password guidelines and blacklisting.

M1041: Encrypt Sensitive Information

Protect sensitive information at rest, in transit, and during processing by using strong encryption algorithms. Encryption ensures the confidentiality and integrity of data, preventing unauthorized access or tampering. This mitigation can be implemented through the following measures:

Encrypt Data at Rest:

- Use Case: Use full-disk encryption or file-level encryption to secure sensitive data stored on devices. - Implementation: Implement BitLocker for Windows systems or FileVault for macOS devices to encrypt hard drives.

Encrypt Data in Transit:

- Use Case: Use secure communication protocols (e.g., TLS, HTTPS) to encrypt sensitive data as it travels over networks. - Implementation: Enable HTTPS for all web applications and configure mail servers to enforce STARTTLS for email encryption.

Encrypt Backups:

- Use Case: Ensure that backup data is encrypted both during storage and transfer to prevent unauthorized access. - Implementation: Encrypt cloud backups using AES-256 before uploading them to Amazon S3 or Google Cloud.

Encrypt Application Secrets:

- Use Case: Store sensitive credentials, API keys, and configuration files in encrypted vaults. - Implementation: Use HashiCorp Vault or AWS Secrets Manager to manage and encrypt secrets.

Database Encryption:

- Use Case: Enable Transparent Data Encryption (TDE) or column-level encryption in database management systems. - Implementation: Use MySQL’s built-in encryption features to encrypt sensitive database fields such as social security numbers.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Aug 24, 2020, 13:43 UTC (UTC+00:00)
Modified: Oct 24, 2025, 17:48 UTC (UTC+00:00)
Raw hash: 2dde40c361604b94...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.2	Oct 24, 2025, 17:48 UTC (UTC+00:00)	Current bundle	`2dde40c36160…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Harmj0y Roasting AS-REPs Jan 2017

HarmJ0y. (2017, January 17). Roasting AS-REPs. Retrieved September 23, 2024.
Open source URL
[2]
Microsoft Kerberos Preauth 2014

Sanyal, M.. (2014, March 18). Kerberos Pre-Authentication: Why It Should Not Be Disabled. Retrieved August 25, 2020.
Open source URL
[3]
Stealthbits Cracking AS-REP Roasting Jun 2019

Jeff Warren. (2019, June 27). Cracking Active Directory Passwords with AS-REP Roasting. Retrieved August 24, 2020.
Open source URL
[4]
SANS Attacking Kerberos Nov 2014

Medin, T. (2014, November). Attacking Kerberos - Kicking the Guard Dog of Hades. Retrieved March 22, 2018.
Open source URL
[5]
AdSecurity Cracking Kerberos Dec 2015

Metcalf, S. (2015, December 31). Cracking Kerberos TGS Tickets Using Kerberoast – Exploiting Kerberos to Compromise the Active Directory Domain. Retrieved March 22, 2018.
Open source URL
[6]
Microsoft 4768 TGT 2017

Microsoft. (2017, April 19). 4768(S, F): A Kerberos authentication ticket (TGT) was requested. Retrieved August 24, 2020.
Open source URL
[7]
Microsoft Detecting Kerberoasting Feb 2018

Bani, M. (2018, February 23). Detecting Kerberoasting activity using Azure Security Center. Retrieved March 23, 2018.
Open source URL
[8]
mitre-attack T1558.004
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams