MITRE ATT&CK Technique
Description
Adversaries may reveal credentials of accounts that have disabled Kerberos preauthentication by [Password Cracking](https://attack.mitre.org/techniques/T1110/002) Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan 2017) Preauthentication offers protection against offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002). When enabled, a user requesting access to a resource initiates communication with the Domain Controller (DC) by sending an Authentication Server Request (AS-REQ) message with a timestamp that is encrypted with the hash of their password. If and only if the DC is able to successfully decrypt the timestamp with the hash of the user’s password, it will then send an Authentication Server Response (AS-REP) message that contains the Ticket Granting Ticket (TGT) to the user. Part of the AS-REP message is signed with the user’s password.(Citation: Microsoft Kerberos Preauth 2014) For each account found without preauthentication, an adversary may send an AS-REQ message without the encrypted timestamp and receive an AS-REP message with TGT data which may be encrypted with an insecure algorithm such as RC4. The recovered encrypted data may be vulnerable to offline [Password Cracking](https://attack.mitre.org/techniques/T1110/002) attacks similarly to [Kerberoasting](https://attack.mitre.org/techniques/T1558/003) and expose plaintext credentials. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) An account registered to a domain, with or without special privileges, can be abused to list all domain accounts that have preauthentication disabled by utilizing Windows tools like [PowerShell](https://attack.mitre.org/techniques/T1059/001) with an LDAP filter. Alternatively, the adversary may send an AS-REQ message for each user. If the DC responds without errors, the account does not require preauthentication and the AS-REP message will already contain the encrypted data. (Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP Roasting Jun 2019) Cracked hashes may enable [Persistence](https://attack.mitre.org/tactics/TA0003), [Privilege Escalation](https://attack.mitre.org/tactics/TA0004), and [Lateral Movement](https://attack.mitre.org/tactics/TA0008) via access to [Valid Accounts](https://attack.mitre.org/techniques/T1078).(Citation: SANS Attacking Kerberos Nov 2014)
Supported Platforms
Created
April 29, 2026
Last Updated
April 29, 2026
STIX Data
{'created': '2020-08-24T13:43:00.028Z',
'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'description': 'Adversaries may reveal credentials of accounts that have '
'disabled Kerberos preauthentication by [Password '
'Cracking](https://attack.mitre.org/techniques/T1110/002) '
'Kerberos messages.(Citation: Harmj0y Roasting AS-REPs Jan '
'2017) \n'
'\n'
'Preauthentication offers protection against offline [Password '
'Cracking](https://attack.mitre.org/techniques/T1110/002). '
'When enabled, a user requesting access to a resource '
'initiates communication with the Domain Controller (DC) by '
'sending an Authentication Server Request (AS-REQ) message '
'with a timestamp that is encrypted with the hash of their '
'password. If and only if the DC is able to successfully '
'decrypt the timestamp with the hash of the user’s password, '
'it will then send an Authentication Server Response (AS-REP) '
'message that contains the Ticket Granting Ticket (TGT) to the '
'user. Part of the AS-REP message is signed with the user’s '
'password.(Citation: Microsoft Kerberos Preauth 2014)\n'
'\n'
'For each account found without preauthentication, an '
'adversary may send an AS-REQ message without the encrypted '
'timestamp and receive an AS-REP message with TGT data which '
'may be encrypted with an insecure algorithm such as RC4. The '
'recovered encrypted data may be vulnerable to offline '
'[Password '
'Cracking](https://attack.mitre.org/techniques/T1110/002) '
'attacks similarly to '
'[Kerberoasting](https://attack.mitre.org/techniques/T1558/003) '
'and expose plaintext credentials. (Citation: Harmj0y Roasting '
'AS-REPs Jan 2017)(Citation: Stealthbits Cracking AS-REP '
'Roasting Jun 2019) \n'
'\n'
'An account registered to a domain, with or without special '
'privileges, can be abused to list all domain accounts that '
'have preauthentication disabled by utilizing Windows tools '
'like '
'[PowerShell](https://attack.mitre.org/techniques/T1059/001) '
'with an LDAP filter. Alternatively, the adversary may send an '
'AS-REQ message for each user. If the DC responds without '
'errors, the account does not require preauthentication and '
'the AS-REP message will already contain the encrypted data. '
'(Citation: Harmj0y Roasting AS-REPs Jan 2017)(Citation: '
'Stealthbits Cracking AS-REP Roasting Jun 2019)\n'
'\n'
'Cracked hashes may enable '
'[Persistence](https://attack.mitre.org/tactics/TA0003), '
'[Privilege '
'Escalation](https://attack.mitre.org/tactics/TA0004), and '
'[Lateral Movement](https://attack.mitre.org/tactics/TA0008) '
'via access to [Valid '
'Accounts](https://attack.mitre.org/techniques/T1078).(Citation: '
'SANS Attacking Kerberos Nov 2014)',
'external_references': [{'external_id': 'T1558.004',
'source_name': 'mitre-attack',
'url': 'https://attack.mitre.org/techniques/T1558/004'},
{'description': 'Bani, M. (2018, February 23). '
'Detecting Kerberoasting activity '
'using Azure Security Center. '
'Retrieved March 23, 2018.',
'source_name': 'Microsoft Detecting Kerberoasting '
'Feb 2018',
'url': 'https://blogs.technet.microsoft.com/motiba/2018/02/23/detecting-kerberoasting-activity-using-azure-security-center/'},
{'description': 'HarmJ0y. (2017, January 17). '
'Roasting AS-REPs. Retrieved '
'September 23, 2024.',
'source_name': 'Harmj0y Roasting AS-REPs Jan 2017',
'url': 'https://blog.harmj0y.net/activedirectory/roasting-as-reps/'},
{'description': 'Jeff Warren. (2019, June 27). '
'Cracking Active Directory Passwords '
'with AS-REP Roasting. Retrieved '
'August 24, 2020.',
'source_name': 'Stealthbits Cracking AS-REP Roasting '
'Jun 2019',
'url': 'https://blog.stealthbits.com/cracking-active-directory-passwords-with-as-rep-roasting/'},
{'description': 'Medin, T. (2014, November). '
'Attacking Kerberos - Kicking the '
'Guard Dog of Hades. Retrieved March '
'22, 2018.',
'source_name': 'SANS Attacking Kerberos Nov 2014',
'url': 'https://redsiege.com/kerberoast-slides'},
{'description': 'Metcalf, S. (2015, December 31). '
'Cracking Kerberos TGS Tickets Using '
'Kerberoast – Exploiting Kerberos to '
'Compromise the Active Directory '
'Domain. Retrieved March 22, 2018.',
'source_name': 'AdSecurity Cracking Kerberos Dec '
'2015',
'url': 'https://adsecurity.org/?p=2293'},
{'description': 'Microsoft. (2017, April 19). 4768(S, '
'F): A Kerberos authentication ticket '
'(TGT) was requested. Retrieved '
'August 24, 2020.',
'source_name': 'Microsoft 4768 TGT 2017',
'url': 'https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4768'},
{'description': 'Sanyal, M.. (2014, March 18). '
'Kerberos Pre-Authentication: Why It '
'Should Not Be Disabled. Retrieved '
'August 25, 2020.',
'source_name': 'Microsoft Kerberos Preauth 2014',
'url': 'https://social.technet.microsoft.com/wiki/contents/articles/23559.kerberos-pre-authentication-why-it-should-not-be-disabled.aspx'}],
'id': 'attack-pattern--3986e7fd-a8e9-4ecb-bfc6-55920855912b',
'kill_chain_phases': [{'kill_chain_name': 'mitre-attack',
'phase_name': 'credential-access'}],
'modified': '2025-10-24T17:48:39.884Z',
'name': 'AS-REP Roasting',
'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
'revoked': False,
'spec_version': '2.1',
'type': 'attack-pattern',
'x_mitre_attack_spec_version': '3.2.0',
'x_mitre_contributors': ['Yossi Nisani, Cymptom',
'James Dunn, @jamdunnDFW, EY',
'Swapnil Kumbhar',
'Jacques Pluviose, @Jacqueswildy_IT',
'Dan Nutting, @KerberToast'],
'x_mitre_deprecated': False,
'x_mitre_detection': '',
'x_mitre_domains': ['enterprise-attack'],
'x_mitre_is_subtechnique': True,
'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
'x_mitre_platforms': ['Windows'],
'x_mitre_version': '1.2'}