Query Details
RULE 02 AD ASREP Roasting No Pre Auth
Query
// =========================================================
// RULE-02 | AD-ASREP-Roasting-NoPreAuth
// Description : AS-REP Roasting — TGT issued without
// pre-authentication (DONT_REQ_PREAUTH flag).
// Event 4768 with Pre-Authentication Type = 0
// indicates an AS-REP roastable account
// requested a TGT — any domain user can request
// TGTs for any DONT_REQ_PREAUTH account without
// knowing the password.
// Severity : Medium (single event) → High (≥3 accounts/1h)
// Frequency : Every 1 hour, look-back 1 hour
// MITRE : T1558.004 — AS-REP Roasting
// Tables : SecurityEvent
// NOT duplicated: No Sentinel built-in detects pre-auth type=0.
// =========================================================
let LookBack = 1h;
SecurityEvent
| where TimeGenerated > ago(LookBack)
| where EventID == 4768 // AS-REQ / AS-REP
| where PreAuthType == "0" // No pre-authentication required
| where TargetUserName !endswith "$" // Exclude machine accounts
| where TargetUserName !in~ ("krbtgt")
| extend
RequestingHost = ClientAddress,
TargetAccount = strcat(TargetDomainName, "\\", TargetUserName),
EncType = TicketEncryptionType
| summarize
TotalRequests = count(),
UniqueTargetAccounts = dcount(TargetUserName),
TargetAccounts = make_set(TargetUserName, 20),
RequestingHosts = make_set(ClientAddress, 10),
EarliestEvent = min(TimeGenerated),
LatestEvent = max(TimeGenerated)
by Computer, ClientAddress
| extend
Severity = case(
UniqueTargetAccounts >= 5, "Critical",
UniqueTargetAccounts >= 3, "High",
UniqueTargetAccounts >= 1, "Medium",
"Low"
),
WhySuspicious = strcat(
iff(UniqueTargetAccounts >= 5, "Mass_ASREP_>=5_accts; ", ""),
iff(UniqueTargetAccounts >= 3, "Bulk_ASREP_3-4_accts; ", ""),
iff(UniqueTargetAccounts == 1, "Single_ASREP_no_preauth; ", "")
)
| project
TimeGenerated = LatestEvent,
Severity,
WhySuspicious,
Computer,
ClientAddress,
UniqueTargetAccounts,
TotalRequests,
TargetAccounts,
RequestingHosts,
EarliestEvent,
LatestEvent
| order by UniqueTargetAccounts desc
Explanation
This query is designed to detect potential AS-REP Roasting attacks in a network. Here's a simplified explanation of what it does:
-
Purpose: The query identifies instances where a Ticket Granting Ticket (TGT) is issued without pre-authentication. This can indicate a vulnerability where attackers request TGTs for accounts that don't require pre-authentication, potentially allowing them to crack passwords offline.
-
Data Source: It analyzes security events from the
SecurityEventtable, specifically looking for events with ID 4768, which are related to Kerberos authentication requests. -
Time Frame: The query examines events from the past hour.
-
Filters:
- It looks for events where the pre-authentication type is "0", indicating no pre-authentication was required.
- It excludes machine accounts (those ending with "$") and the "krbtgt" account.
-
Data Processing:
- It collects information about the requesting host, target account, and encryption type.
- It summarizes the data to count the total requests, unique target accounts, and lists of target accounts and requesting hosts.
-
Severity Assessment:
- The severity of the event is determined based on the number of unique target accounts involved:
- "Critical" for 5 or more accounts.
- "High" for 3-4 accounts.
- "Medium" for 1-2 accounts.
- "Low" for no accounts.
- The severity of the event is determined based on the number of unique target accounts involved:
-
Output:
- The query outputs a list of suspicious activities, including the severity, reason for suspicion, computer and client address involved, number of unique target accounts, total requests, and the time range of the events.
-
Ordering: Results are sorted by the number of unique target accounts in descending order, highlighting the most potentially dangerous activities first.
Overall, this query helps security teams identify and prioritize potential AS-REP Roasting attacks for further investigation.
Details
David Alonso
Released: March 24, 2026
Tables
Keywords
Operators