This note documents detection patterns related to ASREP Roasting within Active Directory environments.

Direct Indicators

Log	Event ID	Meaning	Forensic Value	Notes
Security	4768	Kerberos TGT request	Critical	Primary signal. Accounts with Do not require Kerberos preauthentication will return AS-REP responses containing crackable material. Review TargetUserName, IpAddress, TicketEncryptionType, PreAuthType. (`Logon without Pre-Authentication`)
Security	4771	Kerberos pre-authentication failed	Medium	Often appears when attackers test accounts before identifying those without preauth. Review FailureCode and TargetUserName.
Security	4624	Successful logon	Medium	Useful for correlation if attacker later logs in using cracked credentials.
Security	4688	Process creation	High	On compromised hosts may reveal tools like Rubeus, Impacket scripts, or PowerShell enumeration used for ASREP roasting.
Sysmon	1	Process creation	Critical	Look for execution of Rubeus, PowerView, Python-based Impacket scripts, or suspicious PowerShell commands.
Sysmon	3	Network connection	Medium	Kerberos traffic to domain controllers (port 88) from unusual hosts performing repeated TGT requests.

Indirect Indicators

Indicator	What To Look For	Forensic Value	Notes
Accounts without preauthentication	UserAccountControl flag: <br>`Logon without Pre-Authentication` enabled	Critical	These accounts are directly vulnerable to ASREP roasting.
High volume of TGT requests	Multiple 4768 events for many different usernames	High	Attackers often enumerate domain users and attempt AS-REP requests for each.
Enumeration before roasting	LDAP queries for user objects with preauth disabled	High	Often performed via PowerView, SharpHound, or LDAP queries.
Unusual source host	Kerberos requests originating from workstation not typically performing authentication enumeration	Medium	Useful contextual indicator.
Subsequent successful logon	4624 events for previously roasted accounts	Critical	Indicates cracked credential usage.

Common Tools

Tool	Usage
Rubeus	`asreproast` module requests AS-REP responses for vulnerable accounts.
Impacket GetNPUsers.py	Requests AS-REP responses for accounts without Kerberos preauthentication.
PowerView	Enumerates accounts vulnerable to ASREP roasting.
SharpHound	Identifies roastable users as part of BloodHound collection.
Hashcat / John	Offline cracking of AS-REP hashes.

Relevant Artifacts

Domain controller Security logs (4768 primary)
LDAP query logs (if directory service auditing enabled)
Endpoint process execution telemetry
Sysmon process and network logs
PowerShell logs (4103, 4104)
Prefetch execution artifacts
MFT and USN Journal file creation artifacts
EDR telemetry showing Kerberos enumeration behavior

MITRE ATT&CK References

T1558.004 AS-REP Roasting
T1558 Steal or Forge Kerberos Tickets
T1110 Brute Force (offline cracking stage)
T1078 Valid Accounts

Decision Tree

Is the suspicious event present?
- Review Security Event 4768 patterns for accounts requesting TGT without preauthentication.
What host generated the event?
- Identify the source IP making repeated Kerberos authentication requests.
Is the account expected to perform this action?
- Determine if the account is normal user authentication or enumeration behavior.
Pivot:
- Source host → investigate process execution and scripts.
- Account → check for privilege escalation or password reuse.
- Network → examine lateral movement attempts.
Confirm exploitation
- Determine if cracked credentials were used for later logon events.

Example Detection Templates

KQL

SecurityEvent
| where EventID == 4768
| summarize count(), UniqueUsers=dcount(TargetUserName) by IpAddress, bin(TimeGenerated, 5m)
| where UniqueUsers > 10
| order by UniqueUsers desc

SecurityEvent
| where EventID == 4768
| where PreAuthType == 0
| project TimeGenerated, TargetUserName, IpAddress, TicketEncryptionType

EQL

any where event.code == "4768"
| stats count(), users=cardinality(winlog.event_data.TargetUserName)
  by source.ip, date_trunc(5 minutes, @timestamp)
| where users >= 10

Sigma

title: ASREP Roasting Suspicious Activity
id: asrep-roasting-detection
status: experimental
description: Detects potential ASREP roasting via abnormal volume of Kerberos TGT requests
logsource:
  product: windows
  service: security
detection:
  selection:
    EventID: 4768
  timeframe: 5m
  condition: selection | count() by IpAddress >= 20
fields:
  - TargetUserName
  - IpAddress
  - TicketEncryptionType
falsepositives:
  - Misconfigured authentication systems
  - High authentication bursts from legitimate services
level: high
tags:
  - attack.credential_access
  - attack.t1558.004

Splunk

Accounts with Pre_Authentication_Type=0

index=main source="WinEventLog:Security" EventCode=4768 Pre_Authentication_Type=0
| rex field=src_ip "(\:\:ffff\:)?(?<src_ip>[0-9\.]+)"
| stats count dc(user) as UniqueUsers values(user) as Users by src_ip
| where UniqueUsers > 2
| sort - count

AS-REP Burst Detection

index=main source="WinEventLog:Security" EventCode=4768 Pre_Authentication_Type=0
| bin span=1m _time
| stats count values(user) as Users by src_ip _time
| where count > 5

Mitigation & Hardening

Control Area	Mitigation	Effectiveness	Notes
Account configuration	Disable Do not require Kerberos preauthentication on all accounts	High	Primary defense against ASREP roasting.
Password strength	Use long, complex passwords for service accounts	High	Reduces offline cracking success.
Monitoring	Alert on high volumes of 4768 events for many usernames	High	Effective detection of enumeration attempts.
Privileged accounts	Ensure admin accounts require Kerberos preauthentication	Critical	Prevents high-value credential exposure.
Account auditing	Regularly audit accounts with DONT_REQ_PREAUTH flag	High	Identify and remediate misconfigurations.
Network monitoring	Track abnormal Kerberos request patterns from endpoints	Medium	Provides early detection of attack staging.