Forela's Network is constantly under attack. The security system raised an alert about an old admin account requesting a ticket from KDC on a domain controller. Inventory shows that this user account is not used as of now so you are tasked to take a look at this. This may be an AsREP roasting attack as anyone can request any user's ticket which has preauthentication disabled.
https://app.hackthebox.com/sherlocks/736
https://www.hackthebox.com/blog/as-rep-roasting-detection
Before diving into the logs, it’s important to understand what AS-REP Roasting is
AS-REP Roasting is a Kerberos attack technique where an attacker targets user accounts that have pre-authentication disabled. In a normal Kerberos authentication flow, pre-authentication requires users to encrypt a timestamp with their password before receiving a ticket. When this is disabled, any unauthenticated user can request a Kerberos ticket for the target account, and the KDC will return an AS-REP message (Authentication Service Response) encrypted with the user’s password hash. The attacker can then brute-force or crack this hash offline to retrieve the cleartext password.
This attack doesn’t require prior access to the network and can be performed anonymously, making it a favorite method for initial access and privilege escalation in Active Directory environments.
To detect AS-REP Roasting, we focus on specific Windows Security Event Logs:
with
Pre-Authentication Type = 0
Service Name = krbtgt
Ticket Encryption Type = 0x17 (RC4-HMAC)
Tip: Filtering for Pre-Authentication Type = 0 will eliminate most noise and help you focus on accounts that are truly vulnerable to AS-REP Roasting.
Once you identify a vulnerable account that received a ticket (likely the victim), the next step is to determine who requested it.