What This Script Detects
AS-REP Roasting (MITRE ATT&CK T1558.004) targets user accounts with "Do not require Kerberos preauthentication" enabled. Attackers can request authentication responses (AS-REP) without providing credentials, then crack the encrypted portion offline to recover plaintext passwords.
Attack Overview
- Target: Accounts with disabled Kerberos preauthentication
- Prerequisites: Network access to Domain Controller (no credentials required)
- Impact: Offline password cracking, compromise of user accounts (including privileged accounts)
- Detection Difficulty: 🟢 Easy (Event ID 4768 with Pre-Auth Type 0)
Detection Indicators
This script monitors for:
- Vulnerable Accounts: Any account with "Do not require preauthentication" flag enabled
- Event ID 4768: Kerberos Authentication Ticket Requests with Pre-Auth Type 0
- Encryption Type: RC4 (0x17) or AES256 (0x12) tickets requested without preauthentication
- Service Name: Requests targeting krbtgt (authentication server)
Prerequisites
Requirements
- PowerShell Version: 5.1 or higher
- Permissions: Domain User rights, Event Log Reader on DCs
- Auditing: "Audit Kerberos Authentication Service" enabled
- Modules: ActiveDirectory PowerShell module
How to Use This Script
# Identify vulnerable accounts
.\Detect-ASREPRoasting.ps1 -ScanOnly
# Monitor for active exploitation
.\Detect-ASREPRoasting.ps1 -HoursToCheck 24
# Full scan with remediation recommendations
.\Detect-ASREPRoasting.ps1 -Detailed -ExportPath "C:\Reports\ASREP-$(Get-Date -Format 'yyyy-MM-dd').csv"Detection Script
Interpreting Results
Critical Finding: Accounts with Preauthentication Disabled
If ANY accounts are found with preauthentication disabled, this is a critical security vulnerability. Modern AD environments should have ZERO accounts with this setting.
⚠️ Immediate Action Required
For each account found:
- Enable Kerberos preauthentication immediately (unless documented legacy system exception)
- Force password reset to 40+ character random password
- Review account usage - migrate to modern authentication if possible
- Monitor for successful authentications from unusual sources
Active Exploitation Detection
Event ID 4768 with Pre-Auth Type 0 indicates either:
- Legitimate Use: Account authenticating normally (if preauthentication legitimately disabled)
- Attack: Attacker harvesting AS-REP for offline cracking
Key Differentiator: Attacks typically show multiple AS-REP requests from single source IP for multiple accounts within short timeframe.