{"id":228100,"date":"2024-08-05T10:50:06","date_gmt":"2024-08-05T08:50:06","guid":{"rendered":"https:\/\/www.intrinsec.com\/?p=227826"},"modified":"2026-02-24T10:39:52","modified_gmt":"2026-02-24T10:39:52","slug":"kerberos_opsec_part_2_as_rep-roasting","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_2_as_rep-roasting\/","title":{"rendered":"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team \u2013 Part 2: AS_REP Roasting"},"content":{"rendered":"<div style=\"height:58px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>In this article, we present the <em>AS_REP Roasting<\/em> attack, and the OPSEC considerations associated with it.<\/p>\n\n\n\n<p>Many of the elements needed to fully understand this article are available in previously published articles:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The configuration of log collection on the domain controller is available <a href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_introduction\/\">here<\/a><\/li>\n\n\n\n<li>Reminders of OPSEC considerations relating to Kerberos are presented in our <a href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/\">first article<\/a><\/li>\n<\/ul>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Also, Pixis&#039;s <a href=\"https:\/\/en.hackndo.com\/kerberos\/\">Hackndo<\/a> blog presents the overall operation of Kerberos within an Active Directory environment.<\/p>\n\n\n\n<p>Demo context is a little bit different from what is presented in previous articles: the \u00abGAL-CORUSCANT\u00bb machine is used here instead of the . The rest of the configuration remains similar.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Finally, several passages in this article refer to the Rubeus code. The commit used in this article is as follows: <a href=\"https:\/\/github.com\/GhostPack\/Rubeus\/tree\/351cb3bc04430bdf9e05eaf5cc25be7ed937d41f\" target=\"_blank\" rel=\"noreferrer noopener\">https:\/\/github.com\/GhostPack\/Rubeus\/tree\/351cb3bc04430bdf9e05eaf5cc25be7ed937d41f<\/a><\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><em>AS_REP Roasting<\/em> is a well-known attack technique within an Active Directory environment. It consists in exploiting a user&#039;s ability to request a TGT in the name of another user, without specifying its password.<\/p>\n\n\n\n<p>This option can be easily activated for a designated user through the Active Directory Users and Computers Management console:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"762\" height=\"544\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png\" alt=\"\" class=\"wp-image-231513\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png 762w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-300x214.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18x12.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-650x464.png 650w\" sizes=\"(max-width: 762px) 100vw, 762px\" \/><\/figure>\n\n\n\n<p>The reason for this option, however, is hard to explain. The most likely reason for the existence of such an option would be retrocompatibility with applications that do not support Kerberos pre-authentication.<\/p>\n\n\n\n<div class=\"wp-block-yoast-seo-table-of-contents yoast-table-of-contents\"><h2>Summary<\/h2><ul><li><a href=\"\/en\/#h-attack-explanation\" data-level=\"2\">Attack explanation<\/a><ul><li><a href=\"\/en\/#h-recon\" data-level=\"3\">Recon<\/a><\/li><li><a href=\"\/en\/#h-ticket-cipher\" data-level=\"3\">Ticket cipher<\/a><\/li><li><a href=\"\/en\/#h-ticket-options\" data-level=\"3\">Ticket options<\/a><\/li><li><a href=\"\/en\/#h-process-used\" data-level=\"3\">Process used<\/a><\/li><\/ul><\/li><li><a href=\"\/en\/#h-classic-as-rep-roasting-detection\" data-level=\"2\">Classic AS_REP Roasting detection<\/a><ul><li><a href=\"\/en\/#h-ldap-recon\" data-level=\"3\">LDAP Recon<\/a><\/li><li><a href=\"\/en\/#h-ticket-cipher-0\" data-level=\"3\">Ticket cipher<\/a><\/li><li><a href=\"\/en\/#h-ticket-options-0\" data-level=\"3\">Ticket options<\/a><\/li><li><a href=\"\/en\/#h-process-used-0\" data-level=\"3\">Process used<\/a><\/li><li><a href=\"\/en\/#h-conclusion\" data-level=\"3\">Conclusion<\/a><\/li><\/ul><\/li><li><a href=\"\/en\/#h-opsec-turnaround\" data-level=\"2\">OPSEC turnaround<\/a><ul><li><a href=\"\/en\/#h-ldap-recon-0\" data-level=\"3\">LDAP recon<\/a><\/li><li><a href=\"\/en\/#h-ticket-cipher-1\" data-level=\"3\">Ticket cipher<\/a><\/li><li><a href=\"\/en\/#h-ticket-options-1\" data-level=\"3\">Ticket options<\/a><\/li><li><a href=\"\/en\/#h-process-used-1\" data-level=\"3\">Process used<\/a><\/li><li><a href=\"\/en\/#h-conclusion-0\" data-level=\"3\">Conclusion<\/a><\/li><\/ul><\/li><li><a href=\"\/en\/#h-detecting-opsec-as-rep-roasting\" data-level=\"2\">Detecting \u00abOPSEC\u00bb AS_REP Roasting<\/a><\/li><\/ul><\/div>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading has-medium-font-size\" id=\"h-attack-explanation\">Attack explanation<\/h2>\n\n\n\n<p>When a user seeks access to one of the domain&#039;s services, it presents its TGT to the KDC in order to authenticate itself and obtain a TGS. If no TGT is loaded, a TGT request will take place first.<\/p>\n\n\n\n<p>Under normal circumstances, the user authenticates itself to the KDC by encrypting an authenticator with its password. The KDC is thus able to verify the user&#039;s identity before sending back the <em>KRB_AS_REP<\/em> response that contains a session key encrypted with the user&#039;s secret and the TGT.<\/p>\n\n\n\n<p>If it is possible to obtain a <em>KRB_AS_REP<\/em> for a user without possessing its password, an attacker can carry out an offline bruteforce attack on the encrypted session key to potentially recover the user&#039;s password, if it is not sufficiently robust.<\/p>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-recon\">Recon<\/h3>\n\n\n\n<p>This time, 2 accounts that do not need Kerberos preauth are present in our test environment, <strong>Boba-Fett <\/strong>and <strong>Lama-Su<\/strong>.<\/p>\n\n\n\n<p>Using the Rubeus tool, it is possible to query all accounts which do not require Kerberos preauth and obtain the <strong>AS_REP<\/strong> KDC response in a format that can be easily used by password cracking tools (john or hashcat to name a few) with the <code>Rubeus.exe asreproast \/nowrap<\/code> command:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" width=\"1024\" height=\"502\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1-1024x502.png\" alt=\"\" class=\"wp-image-231515\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1-1024x502.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1-300x147.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1-768x377.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1-18x9.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1-650x319.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-1.png 1260w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We can already see similarities with Rubeus&#039; Kerberoasting implementation, specifically the fact that a specific LDAP query is performed to discover vulnerable users: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))<\/mark> :<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li> <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">(samAccountType=805306368)<\/mark> to get domain users<\/li>\n\n\n\n<li><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">(userAccountControl:1.2.840.113556.1.4.803:=4194304))<\/mark> is a <em>*Bitwise AND*<\/em> comparison, checking if the 24th bit of the user&#039;s UAC is 1, meaning that Kerberos preauth isn&#039;t needed. Tea <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">1.2.840.113556.1.4.803<\/mark> corresponds to the <em>Bitwise AND<\/em> comparison (same as the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">&amp;<\/mark> operator).<\/li>\n<\/ul>\n\n\n\n<p>But we can also observe that the notion of ticket encryption is absent.<\/p>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ticket-cipher\">Ticket cipher<\/h3>\n\n\n\n<p>By default, Rubeus performs TGT requests using the RC4 encryption algorithm (<code>Rubeus.exe asreproast \/nowrap<\/code>):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"408\" height=\"159\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-2.png\" alt=\"\" class=\"wp-image-231516\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-2.png 408w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-2-300x117.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-2-18x7.png 18w\" sizes=\"(max-width: 408px) 100vw, 408px\" \/><\/figure>\n\n\n\n<p>It&#039;s easy to see the difference between the ticket request generated by the basic Rubeus command and one generated by a legitimate request. The following event corresponds to the TGT request made when using <strong>WinLogon<\/strong>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"478\" height=\"160\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-3.png\" alt=\"\" class=\"wp-image-231517\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-3.png 478w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-3-300x100.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-3-18x6.png 18w\" sizes=\"(max-width: 478px) 100vw, 478px\" \/><\/figure>\n\n\n\n<p>We can see that the TGT is provided with the AES256 cipher (<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">0x12<\/mark>).<\/p>\n\n\n\n<p>This behavior is easy to explain: By default, the KDC will always provide TGTs with the highest supported encryption level. Since the Windows 2008 R2 functional level, this default is AES256.<\/p>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ticket-options\">Ticket options<\/h3>\n\n\n\n<p>Let&#039;s compare the two tickets we have:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"663\" height=\"262\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-4.png\" alt=\"\" class=\"wp-image-231518\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-4.png 663w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-4-300x119.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-4-18x7.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-4-650x257.png 650w\" sizes=\"(max-width: 663px) 100vw, 663px\" \/><\/figure>\n\n\n\n<p>The one obtained with Rubeus (the TGT is encrypted with AES256 cipher because of the modifications made to Rubeus described <a href=\"https:\/\/www.intrinsec.com\/en\/kerberos-opsec-offense-detection-strategies-for-red-and-blue-team-part-2-as_rep-roasting\/#h-ticket-options-1\">here<\/a>):<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"538\" height=\"260\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-5.png\" alt=\"\" class=\"wp-image-231519\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-5.png 538w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-5-300x145.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-5-18x9.png 18w\" sizes=\"(max-width: 538px) 100vw, 538px\" \/><\/figure>\n\n\n\n<p>We can see that the legitimate request has one more bit set than our illegitimate one, corresponding to the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Name-canonicalize<\/mark> flag.<\/p>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-process-used\">Process used<\/h3>\n\n\n\n<p>It is interesting to note from which process our AS_REP roasting attack is launched.<\/p>\n\n\n\n<p>For example, during the Fork and Run process (execute-assembly feature in Cobalt Strike), the Rubeus tool is executed within the process defined by the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">spawnto<\/mark> command, in this case <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">werfault.exe<\/mark>. Kerberos traffic is then carried out from the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">werfault.exe<\/mark> process:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"661\" height=\"177\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-6.png\" alt=\"\" class=\"wp-image-231520\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-6.png 661w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-6-300x80.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-6-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-6-650x174.png 650w\" sizes=\"(max-width: 661px) 100vw, 661px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-classic-as-rep-roasting-detection\">Classic AS_REP Roasting detection<\/h2>\n\n\n\n<p>Here we look at the various methods to detect the AS_REP Roasting attack when carried out simply, ie using the command <code>Rubeus.exe asreproast<\/code>.<\/p>\n\n\n\n<p>One important thing to bear in mind is that when an account has its Kerberos pre-authentication not required, then the value of <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">PreAuthType<\/mark> will be <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">0<\/mark>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"262\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7-1024x262.png\" alt=\"\" class=\"wp-image-231521\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7-1024x262.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7-300x77.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7-768x196.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7-650x166.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-7.png 1165w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We can then use this information to target more specifically our detection queries.<\/p>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ldap-recon\">LDAP Recon<\/h3>\n\n\n\n<p>First of all, as we&#039;ve seen before, Rubeus uses a particular LDAP request in order to identify AS_REP Roasting targets.<\/p>\n\n\n\n<p>The ldap request is the following: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))<\/mark> which can be interpreted as <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">(&amp;(samAccountType=805306368)(userAccountControl&amp;4194304))<\/mark>.<\/p>\n\n\n\n<p>Such an LDAP request has a very low probability of being carried out within a legitimate context, with the exception of domain maintenance actions.<\/p>\n\n\n\n<p>We can thus conclude that if an LDAP request with this parameter is made, it may be worthwhile to take a serious look at the reason for its presence:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"394\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8-1024x394.png\" alt=\"\" class=\"wp-image-231522\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8-1024x394.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8-300x116.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8-768x296.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8-18x7.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8-650x250.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-8.png 1228w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p><strong>Note:<\/strong> Monitor events with ID 1644 by filtering on the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">servicePrincipalNames=*<\/mark> string of the LDAP request. Although theoretically possible, rules based on LDAP Windows events are rarely implemented because the volume of LDAP logs to be collected is very large (Alternatives are emerging, with commercial solutions such as Microsoft Defender for Identity, or custom rules implemented on endpoint security solutions).<\/p>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ticket-cipher-0\"><strong>Ticket cipher<\/strong><\/h3>\n\n\n\n<p>Targeting ticket requests that <strong>do not use the AES256 encryption algorithm<\/strong> (or more generally that do not use the highest cipher available) makes it possible to effectively filter out non-standard ticket requests:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"269\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9-1024x269.png\" alt=\"\" class=\"wp-image-231523\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9-1024x269.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9-300x79.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9-768x202.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9-18x5.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9-650x171.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-9.png 1276w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ticket-options-0\">Ticket options<\/h3>\n\n\n\n<p>From our internal tests and the result given by the Intrinsec&#039;s SOC, the most common ticket options obtained following a legitimate TGT request is: <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">[Forwardable, Renewable, Name-canonicalize, Renewable-ok]<\/mark> (<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">0x40810010<\/mark>) while Rubeus request generates a TGT with <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">[Forwardable, Renewable, Renewable-ok]<\/mark> (<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">0x40800010<\/mark>) options. Filtering on this value can then be interesting, even if we don&#039;t recommend using it stand-alone because numerous false-positives could be obtained:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"206\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10-1024x206.png\" alt=\"\" class=\"wp-image-231524\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10-1024x206.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10-300x60.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10-768x154.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10-18x4.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10-650x131.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-10.png 1085w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-process-used-0\">Process used<\/h3>\n\n\n\n<p>Identifying Kerberos traffic not originating from the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">LSASS.exe<\/mark> process adds a correlation rule to the detection of an <em>AS_REP Roasting<\/em> attack:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"811\" height=\"343\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-11.png\" alt=\"\" class=\"wp-image-231525\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-11.png 811w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-11-300x127.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-11-768x325.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-11-18x8.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-11-650x275.png 650w\" sizes=\"(max-width: 811px) 100vw, 811px\" \/><\/figure>\n\n\n\n<p>It&#039;s not impossible for Kerberos traffic to originate from a process other than `LSASS.exe`. Indeed, some web applications run throught the port 88, making some traffic on the port 88 not coming from <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">LSASS.exe<\/mark> legitimate.<\/p>\n\n\n\n<p>A standard Elastic rule is defined <a href=\"https:\/\/www.elastic.co\/guide\/en\/security\/current\/kerberos-traffic-from-unusual-process.html\">here<\/a> and can help refine the search for non-legitimate Kerberos traffic:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>network where event.type == &quot;start&quot; and network.direction : (&quot;outgoing&quot;, &quot;egress&quot;) and destination.port == 88 and source.port &gt;= 49152 and process.executable != &quot;C:\\\\Windows\\\\System32\\\\lsass.exe&quot; and destination.address !=&quot;127.0.0.1&quot; and destination.address !=&quot;::1&quot; and \/* insert false positives here *\/ not process.name in (&quot;swi_fc.exe&quot;, &quot;fsIPcam.exe&quot;, &quot;IPCamera.exe&quot;, &quot;MicrosoftEdgeCP.exe&quot;, &quot;MicrosoftEdge.exe&quot;, &quot;iexplore.exe&quot;, &quot;chrome.exe&quot;, &quot;msedge.exe&quot;, &quot;opera.exe&quot;, &quot;firefox.exe&quot;)<\/code><\/pre>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-conclusion\">Conclusion<\/h3>\n\n\n\n<p>Looking for a correlation between the following elements can lead to effective detection of <em>*AS_REP Roasting*<\/em> attacks when used with the basic Rubeus options:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An LDAP request containing the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">4194304<\/mark> LDAP filter will generally correspond to the recognition of vulnerable accounts<\/li>\n\n\n\n<li>A TGT requested without the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">AES256<\/mark> encryption cipher<\/li>\n\n\n\n<li>A TGT delivered with the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">0x40800010<\/mark> options<\/li>\n\n\n\n<li>Kerberos traffic from an unknown or illegitimate process has been made<\/li>\n<\/ul>\n\n\n\n<p>Finally, basic Rubeus <strong>AS_REP Roasting<\/strong> makes TGT request for all users that do not have Kerberos preauth enforced. When TGT requests are made for several of these users (ie several events 4678 with <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">PreAuthType=0<\/mark>) in a short period, it can be due to the use of <code>Rubeus.exe asreproast<\/code>.<\/p>\n\n\n\n<p>Here is a recap:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Action<\/td><td>Event ID<\/td><td>Filter<\/td><td>Explanation<\/td><\/tr><tr><td>LDAP request used to list users without enforced Kerberos pre authentication<\/td><td>1644 \u2013 LDAP<\/td><td>LDAP filter <code>userAccountControl&amp;4194304<\/code><\/td><td>An LDAP query with this filter will only occur if accounts without Kerberos preauth enforced are listed, which should never happen outside of AS_REP Roasting attacks or planned maintenance actions.<\/td><\/tr><tr><td>Large number of TGT tickets requested in a short amount of time<\/td><td>4768 \u2013 Kerberos \u2013 TGT was requested<\/td><td>Field <code>PreAuthType=0<\/code><\/td><td>Successive TGT requests for users who don&#039;t have the enforced Kerberos preauth is not legitimate behavior.<\/td><\/tr><tr><td>Encryption downgrade<\/td><td>4768 \u2013 Kerberos \u2013 TGT was requested<\/td><td>Field <code>TicketEncryptionType!=0x12<\/code><\/td><td>TGTs are legitimately requested encrypted using the AES256 encryption algorithm. Any generation of TGT encrypted using another cipher should be monitored.<\/td><\/tr><tr><td>Unusual or unknown ticket options<\/td><td>4768 \u2013 Kerberos \u2013 TGT was requested<\/td><td>Field <code>Ticket options<\/code><\/td><td>The ticket options of some tools are quickly recognizable. Rubeus: <code>0x4080001<\/code><\/td><\/tr><tr><td>Processes through which Kerberos traffic passes<\/td><td>3 \u2013 SYSMON<\/td><td>Fileds <code>process.name!=&quot;LSASS.exe&quot;\"<\/code>, <code>User<\/code>, <code>\"&quot;Destination.port=88&quot;\"<\/code><\/td><td>When Kerberos traffic is sent from a process other than Lsass.exe, correlation with the rest of the events allows detection of AS_REP Roasting.<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-opsec-turnaround\">OPSEC turnaround<\/h2>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ldap-recon-0\">LDAP recon<\/h3>\n\n\n\n<p>To avoid generating an event with the <strong>ID 1644<\/strong> with the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">userAccountControl&amp;4194304<\/mark> filter, which is specific to the identification of vulnerable users, a better option would be to do the recon action beforehand using another method such as using SharpHound collector.<\/p>\n\n\n\n<p>Using SharpHound with the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/DCOnly<\/mark> option collects, among other things, the information needed for<strong> AS_REP Roasting<\/strong>.<\/p>\n\n\n\n<p>Once vulnerable users have been identified, performing TGT requests on a single user and spaced out over time avoids generating a large number of <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">4768<\/mark> events in a short amount of time.<\/p>\n\n\n\n<p>Rubeus lets you target a single user, using the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/user<\/mark> option. However, when using this option, the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">userAccountControl&amp;4194304<\/mark> filter is still used, certainly to avoid any user error:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"357\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12-1024x357.png\" alt=\"\" class=\"wp-image-231526\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12-1024x357.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12-300x105.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12-768x268.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12-650x227.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-12.png 1489w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>But if we also specify the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/domain <\/mark>and <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/dc<\/mark> parameters, the LDAP request isn&#039;t done:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"558\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13-1024x558.png\" alt=\"\" class=\"wp-image-231527\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13-1024x558.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13-300x164.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13-768x419.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13-18x10.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13-650x354.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-13.png 1049w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Otherwise, we just need to modify Rubeus code in order to change this behavior when user is specified:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\/Roast.cs - line 46 if (String.IsNullOrEmpty(userName)) { userSearchFilter = &quot;(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))&quot;; } else { userSearchFilter = String.Format(&quot;(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(samAccountName={0}))&quot;, userName); }<\/code><\/pre>\n\n\n\n<p>By commenting the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">else<\/mark> statement, we can avoid the use of LDAP query:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\/Roast.cs - line 46 if (String.IsNullOrEmpty(userName)) { userSearchFilter = &quot;(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304))&quot;; } else {\n<strong>                    #userSearchFilter = String.Format(&quot;(&amp;(samAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=4194304)(samAccountName={0}))&quot;, userName);\n<\/strong>                }<\/code><\/pre>\n\n\n\n<div style=\"height:29px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"525\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-14.png\" alt=\"\" class=\"wp-image-231528\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-14.png 981w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-14-300x161.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-14-768x411.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-14-18x10.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-14-650x348.png 650w\" sizes=\"(max-width: 981px) 100vw, 981px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ticket-cipher-1\">Ticket cipher<\/h3>\n\n\n\n<p>In order to make our TGT request as stealthy as possible we can ask for a TGT encrypted with the AES256 cipher (or more generally with the highest cipher supported by the domain).<\/p>\n\n\n\n<p><strong>Caution, even if the action is getting stealthier, the use of AES256 makes the TGT much longer to brute-force.<\/strong><\/p>\n\n\n\n<p>It is possible to use AES with Rubeus, by specifying the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/aes<\/mark> option:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"342\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15-1024x342.png\" alt=\"\" class=\"wp-image-231529\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15-1024x342.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15-300x100.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15-768x256.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15-650x217.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-15.png 1262w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The encryption of the ticket is managed in the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">GetASRepHash<\/mark>, part of the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">lib\\Roast.cs<\/mark> file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\\Roast.cs - line 101 public static void GetASRepHash(string userName, string domain, string domainController = &quot;&quot;, string format = &quot;&quot;, string outFile = &quot;&quot;, string supportedEType = &quot;rc4&quot;) { \/\/ roast AS-REPs for users without pre-authentication enabled string dcIP = Networking.GetDCIP(domainController, true, domain); if (String.IsNullOrEmpty(dcIP)) { return; } Console.WriteLine(&quot;[*] Building AS-REQ (w\/o preauth) for: &#039;{0}\\\\{1}&#039;&quot;, domain, userName); byte[] reqBytes; byte[] response; AsnElt responseAsn; int responseTag; string requestedEType; \/\/ Specify RC4 as the encryption type by default, unless the \/aes flag was provided if (supportedEType == &quot;rc4&quot;) { reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac).Encode().Encode(); response = Networking.SendBytes(dcIP, 88, reqBytes);\n\n<\/code><\/pre>\n\n\n\n<p>As it stands, Rubeus only uses AES256 if the AES128 request fails. After a few minor modifications to the code, we succeeded in forcing the use of AES256:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Commands\\Asreproast.cs - line 73 if (arguments.ContainsKey(&quot;\/aes256&quot;)) { supportedEType = &quot;aes256&quot;; }<\/code><\/pre>\n\n\n\n<div style=\"height:29px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\\Roast.cs - line 189 else if (supportedEType == &quot;aes256&quot;) { Console.WriteLine(&quot;[*] Requesting AES256 (etype 12) as the encryption type&quot;); \/\/ Attempt to use SHA256 (etype 12) reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.aes256_cts_hmac_sha1).Encode().Encode(); response = Networking.SendBytes(dcIP, 88, reqBytes); if (response == null) { return; } requestedEType = &quot;aes256&quot;; responseAsn = AsnElt.Decode(response, false); responseTag = responseAsn.TagValue; if (responseTag == (int)Interop.KERB_MESSAGE_TYPE.ERROR) { \/\/ parse the response to an KRB-ERROR KRB_ERROR error = new KRB_ERROR(responseAsn.Sub[0]); } }<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"314\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16-1024x314.png\" alt=\"\" class=\"wp-image-231530\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16-1024x314.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16-300x92.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16-768x235.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16-650x199.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-16.png 1263w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-ticket-options-1\">Ticket options<\/h3>\n\n\n\n<p>Rubeus uses the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">NewASReq <\/mark>function, defined in <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">lib\\krb_structures\\AS_REQ.cs<\/mark> in order to forge the TGT request:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\\krb_structures\\AS_REQ.cs - line 23 public static AS_REQ NewASReq(string userName, string domain, Interop.KERB_ETYPE etype, bool opsec = false, string service = null) { \/\/ build a new AS-REQ for the given userName, domain, and etype, but no PA-ENC-TIMESTAMP \/\/ used for AS-REP-roasting AS_REQ req = new AS_REQ(opsec); \/\/ set the username to roast req.req_body.cname.name_string.Add(userName);<\/code><\/pre>\n\n\n\n<p>But we can see that the flag <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Name-Canonicalize<\/mark> is set if the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/opsec<\/mark> option is used, which is not part of the options that can be used with the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">asreproast<\/mark> module of Rubeus:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\\krb_structures\\AS_REQ.cs - line 67 if (opsec) { string hostName = Dns.GetHostName(); List addresses = new List (); addresses.Add(new HostAddress(hostName)); req.req_body.addresses = addresses; req.req_body.kdcOptions = req.req_body.kdcOptions | Interop.KdcOptions.CANONICALIZE; req.req_body.etypes.Add(Interop.KERB_ETYPE.aes256_cts_hmac_sha1); req.req_body.etypes.Add(Interop.KERB_ETYPE.aes128_cts_hmac_sha1); req.req_body.etypes.Add(Interop.KERB_ETYPE.rc4_hmac); req.req_body.etypes.Add(Interop.KERB_ETYPE.rc4_hmac_exp); req.req_body.etypes.Add(Interop.KERB_ETYPE.old_exp); req.req_body.etypes.Add(Interop.KERB_ETYPE.des_cbc_md5);<\/code><\/pre>\n\n\n\n<p>So we just have to modify a Rubeus code a few lines to add the new option <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">\/canonicalize<\/mark>:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code># Commands\\Asreproast.cs # line 25 bool canon = false; # line 77 if (arguments.ContainsKey(&quot;\/canonicalize&quot;)) { canon = true; }<\/code><\/pre>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\\Roast.cs - line 116 \/\/ Specify RC4 as the encryption type by default, unless the \/aes flag was provided if (supportedEType == &quot;rc4&quot; || supportedEType == &quot;des&quot;) { [...] reqBytes = AS_REQ.NewASReq(userName, domain, Interop.KERB_ETYPE.rc4_hmac, false, null, canon).Encode().Encode(); response = Networking.SendBytes(dcIP, 88, reqBytes);<\/code><\/pre>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<pre class=\"wp-block-code\"><code># lib\\krb_structures\\AS_REQ.cs - line 40 if (canon) { req.req_body.kdcOptions = req.req_body.kdcOptions | Interop.KdcOptions.CANONICALIZE; }<\/code><\/pre>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>And we finally get our TGT with the options we need:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"471\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17-1024x471.png\" alt=\"\" class=\"wp-image-231531\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17-1024x471.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17-300x138.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17-768x353.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17-18x8.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17-650x299.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-17.png 1063w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>We can then observe that the ticket is well requested with the wanted options:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"328\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18-1024x328.png\" alt=\"\" class=\"wp-image-231532\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18-1024x328.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18-300x96.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18-768x246.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18-18x6.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18-650x208.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-18.png 1310w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-process-used-1\">Process used<\/h3>\n\n\n\n<p>As described before, <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Lsass.exe<\/mark> is the main process initiating Kerberos network traffic. While we can not apply <em>Fork and Run<\/em> on <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Lsass.exe<\/mark> (that wouldn&#039;t be really stealthy at all), we can bypass the rule defined by Elastic:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>network where event.type == &quot;start&quot; and network.direction : (&quot;outgoing&quot;, &quot;egress&quot;) and destination.port == 88 and source.port &gt;= 49152 and process.executable != &quot;C:\\\\Windows\\\\System32\\\\lsass.exe&quot; and destination.address !=&quot;127.0.0.1&quot; and destination.address !=&quot;::1&quot; and \/* insert false positives here *\/ not process.name in (&quot;swi_fc.exe&quot;, &quot;fsIPcam.exe&quot;, &quot;IPCamera.exe&quot;, &quot;MicrosoftEdgeCP.exe&quot;, &quot;MicrosoftEdge.exe&quot;, &quot;iexplore.exe&quot;, &quot;chrome.exe&quot;, &quot;msedge.exe&quot;, &quot;opera.exe&quot;, &quot;firefox.exe&quot;)<\/code><\/pre>\n\n\n\n<p>For example, we will then use the <em>Fork and Run<\/em> within a web browser process (<mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe<\/mark> as example) or inject beacon in the target process and use an in-process execution technique like <a href=\"https:\/\/github.com\/anthemtotheego\/InlineExecute-Assembly\">inlineExecute-Assembly<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"514\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19-1024x514.png\" alt=\"\" class=\"wp-image-231533\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19-1024x514.png 1024w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19-300x151.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19-768x386.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19-18x9.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19-650x327.png 650w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-19.png 1061w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"735\" height=\"619\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-20.png\" alt=\"\" class=\"wp-image-231534\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-20.png 735w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-20-300x253.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-20-14x12.png 14w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-20-650x547.png 650w\" sizes=\"(max-width: 735px) 100vw, 735px\" \/><\/figure>\n\n\n\n<p>We then can observe that the process that creates the Kerberos connection is <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe<\/mark>:<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"919\" height=\"334\" src=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-21.png\" alt=\"\" class=\"wp-image-231535\" srcset=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-21.png 919w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-21-300x109.png 300w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-21-768x279.png 768w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-21-18x7.png 18w, https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image-21-650x236.png 650w\" sizes=\"(max-width: 919px) 100vw, 919px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\" id=\"h-conclusion-0\">Conclusion<\/h3>\n\n\n\n<p>Combining different options and modifying the Rubeus code allows to request TGT for <strong>AS_REP Roasting<\/strong> in an OPSEC way:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Make upstream recon in order to not use the specific LDAP query used by Rubeus to discover accounts with no preauthentication<\/li>\n\n\n\n<li>Target users one by one and spaced over time<\/li>\n\n\n\n<li>Request TGT encrypted with <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">AES256<\/mark> cipher<\/li>\n\n\n\n<li>Request TGT with the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">Canonicalize-Name<\/mark> option<\/li>\n\n\n\n<li>Perform Kerberos requests from a quite legitimate process<\/li>\n<\/ul>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"h-detecting-opsec-as-rep-roasting\">Detecting &quot;OPEC&quot;\u00ab <strong>AS_REP Roasting<\/strong><\/h2>\n\n\n\n<p>(This part is quite the same as the one regarding the <a href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_1_kerberoasting\/#h-detecting-opsec-kerberoasting\" target=\"_blank\" rel=\"noreferrer noopener\">Kerberoasting \u00abOPSEC\u00bb detection<\/a>)<\/p>\n\n\n\n<p>As mentioned above, <strong>AS_REP Roasting<\/strong> can be carried out more discreetly by combining several techniques. However, it is still possible to detect these actions:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Checking that Kerberos flows originate from a legitimate process is a feasible way of detecting malicious actions (although it can generate false positives, as we saw earlier)<\/li>\n\n\n\n<li>A good solution remains the use of \u00ab\u00a0<em>honeypots<\/em>\u00a0\u00bb domain accounts with the Kerberos preauth not enforced and a strong password (so that it can&#039;t be broken). However, there are a few things to bear in mind to avoid arousing the suspicions of an attacker:\n<ul class=\"wp-block-list\">\n<li>Tea <em>\u00ab&quot;honeypot&quot;<\/em>\u00a0\u00bb account must match the accounts already present; for example, a <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-vivid-red-color\">LastLogon<\/mark> that&#039;s too old might suggest an account that isn&#039;t used for anything other than a trap; a suspicious attacker wouldn&#039;t target this account<\/li>\n\n\n\n<li>&nbsp; The account should appear to be a privileged user (even if its not, eg: fake administrator group); an attacker will be less likely to target accounts that don&#039;t allow him to establish an exploitation scenario.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p>We can the add the following line to the previous detection recap array:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td>Action<\/td><td>Event ID<\/td><td>Filter<\/td><td>Explanation<\/td><\/tr><tr><td>\u00ab&quot;Honeypots&quot; Accounts<\/td><td>4768 \u2013 Kerberos \u2013 TGT was requested<\/td><td>Filter <code>user.name=honeypot_user<\/code><\/td><td>Use \u00abattractive\u00bb accounts to trick the attacker<\/td><\/tr><\/tbody><\/table><\/figure>","protected":false},"excerpt":{"rendered":"<p>In this article, we present the AS_REP Roasting attack, and the OPSEC considerations associated with [\u2026]<\/p>","protected":false},"author":19,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[13,18],"tags":[],"class_list":["post-228100","post","type-post","status-publish","format-standard","hentry","category-evaluation-securite","category-red-teaming"],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.0 (Yoast SEO v27.3) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams - PART 2<\/title>\n<meta name=\"description\" content=\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_2_as_rep-roasting\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Kerberos OPSEC: Offense &amp; Detection Strategies for Red and Blue Team \u2013 Part 2 : AS_REP Roasting\" \/>\n<meta property=\"og:description\" content=\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_2_as_rep-roasting\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2024-08-05T08:50:06+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-02-24T10:39:52+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png\" \/>\n\t<meta property=\"og:image:width\" content=\"762\" \/>\n\t<meta property=\"og:image:height\" content=\"544\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Paul Saladin (P-alu)\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Paul Saladin (P-alu)\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"16 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/\"},\"author\":{\"name\":\"Paul Saladin (P-alu)\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eba80a0167fdf3502c18343d08948ffa\"},\"headline\":\"Kerberos OPSEC: Offense &#038; Detection Strategies for Red and Blue Team \u2013 Part 2 : AS_REP Roasting\",\"datePublished\":\"2024-08-05T08:50:06+00:00\",\"dateModified\":\"2026-02-24T10:39:52+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/\"},\"wordCount\":2236,\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/image.png\",\"articleSection\":[\"Evaluation S\u00e9curit\u00e9\",\"Red Teaming\"],\"inLanguage\":\"en-US\",\"accessibilityFeature\":[\"tableOfContents\"]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/\",\"name\":\"Kerberos: Key OPSEC Tactics for Red & Blue Teams - PART 2\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/image.png\",\"datePublished\":\"2024-08-05T08:50:06+00:00\",\"dateModified\":\"2026-02-24T10:39:52+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eba80a0167fdf3502c18343d08948ffa\"},\"description\":\"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/image.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2024\\\/08\\\/image.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/kerberos_opsec_part_2_as_rep-roasting\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Kerberos OPSEC: Offense &#038; Detection Strategies for Red and Blue Team \u2013 Part 2 : AS_REP Roasting\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/eba80a0167fdf3502c18343d08948ffa\",\"name\":\"Paul Saladin (P-alu)\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g\",\"caption\":\"Paul Saladin (P-alu)\"},\"description\":\"Red Team Operator @Intrinsec\",\"sameAs\":[\"https:\\\/\\\/github.com\\\/P-aLu\\\/\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/paul-saladin\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams - PART 2","description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_2_as_rep-roasting\/","og_locale":"en_US","og_type":"article","og_title":"Kerberos OPSEC: Offense & Detection Strategies for Red and Blue Team \u2013 Part 2 : AS_REP Roasting","og_description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","og_url":"https:\/\/www.intrinsec.com\/en\/kerberos_opsec_part_2_as_rep-roasting\/","og_site_name":"INTRINSEC","article_published_time":"2024-08-05T08:50:06+00:00","article_modified_time":"2026-02-24T10:39:52+00:00","og_image":[{"width":762,"height":544,"url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png","type":"image\/png"}],"author":"Paul Saladin (P-alu)","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Paul Saladin (P-alu)","Est. reading time":"16 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/"},"author":{"name":"Paul Saladin (P-alu)","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eba80a0167fdf3502c18343d08948ffa"},"headline":"Kerberos OPSEC: Offense &#038; Detection Strategies for Red and Blue Team \u2013 Part 2 : AS_REP Roasting","datePublished":"2024-08-05T08:50:06+00:00","dateModified":"2026-02-24T10:39:52+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/"},"wordCount":2236,"image":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png","articleSection":["Evaluation S\u00e9curit\u00e9","Red Teaming"],"inLanguage":"en-US","accessibilityFeature":["tableOfContents"]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/","url":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/","name":"Kerberos: Key OPSEC Tactics for Red &amp; Blue Teams - PART 2","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#primaryimage"},"thumbnailUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png","datePublished":"2024-08-05T08:50:06+00:00","dateModified":"2026-02-24T10:39:52+00:00","author":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eba80a0167fdf3502c18343d08948ffa"},"description":"Explore essential OPSEC practices for Red Teams and advanced detection strategies for Blue Teams, focusing on the Kerberos protocol","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#primaryimage","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2024\/08\/image.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/kerberos_opsec_part_2_as_rep-roasting\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"Kerberos OPSEC: Offense &#038; Detection Strategies for Red and Blue Team \u2013 Part 2 : AS_REP Roasting"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/eba80a0167fdf3502c18343d08948ffa","name":"Paul Saladin (P-alu)","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/e8624d4e647b63bc3801dc8be66bc836c18add9a35d8f555c861854a4ffc1203?s=96&d=retro&r=g","caption":"Paul Saladin (P-alu)"},"description":"Red Team Operator @Intrinsec","sameAs":["https:\/\/github.com\/P-aLu\/"],"url":"https:\/\/www.intrinsec.com\/en\/author\/paul-saladin\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/228100","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=228100"}],"version-history":[{"count":1,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/228100\/revisions"}],"predecessor-version":[{"id":231536,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/228100\/revisions\/231536"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=228100"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=228100"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=228100"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}