Threat Hunting for Active Directory Attacks: AS-REP Roasting
Organizations rely on Active Directory (AD) services for policy configurations, user management, and privileges. This, therefore, makes AD a primary target for adversaries, given it is often the key to the kingdom. AS-REP Roasting is a popular attack technique for the Active Directory ecosystem that takes advantage of misconfigurations while setting up user accounts in a corporate domain environment. The Mitre ATT&CK framework tags this attack technique under T1558.004. The technicalities involved in conducting AS-REP roasting attacks are skipped here since there are a plethora of articles on the web that discuss the attack. In this blog post, instead, we discuss generic methodologies used for enumerating the potential target users from a domain controller (DC) environment, and also the network threat hunting techniques to look at those indicators of compromise (IOCs) more closely.
The Kerberos authentication process is complex and explained in a lot more detail here, but a summary follows. AS-REP refers to the Authentication Service (AS) Kerberos response message. When a client needs to access any service inside a domain, AS-REQ (request), AS-REP messages are transmitted between the client and the domain controller where they exchange credentials data in the form of hashed keys. As the AS-REP process is part of the Kerberos pre-authentication phase, the client receives a set of required hashes from the DC when the client attempts to authenticate with the DC. During the Kerberos preauth phase, a Ticket Granting Ticket Ticket (TGT) token is issued to each client for future authentications. But, if this process is misconfigured for any specific domain user accounts to bypass the Kerberos pre-authentication phase, then an attacker could request authentication data for such domain user account(s) and the DC would return an encrypted TGT that can be brute-forced offline using tools like John The Ripper, hashcat, etc to extract their actual domain login credentials. As you will see in some of the examples below, these are often legacy accounts where the domain administrator has maintained such older accounts for backward compatibility.
Due to the offline nature of cracking such user password hashes, it is often difficult to detect such attacks. However, from a network threat hunting perspective there are few deep packet inspection (DPI) techniques that can be used to identify these preliminary recon attempts.
There are several popular tools, PowerShell scripts, and exploitation framework plugins available to perform AS-REP roasting attacks which makes it fairly simple to launch this attack. The tools include impacket suite (GetNPUsers.py), ASREPRoast, and Rubeus.
The following screenshot (using impacket suite) demonstrates how to dump the hashes for offline password cracking against a DC environment. Also, remember, you don’t need to have any valid user account to execute this command:
Figure 1: AS-REP roasting via impacket (GetNPUsers.py)
Let us look at the traffic the above command line generates by going through the source code from the impacket suite (GetNPUsers.py). We see a number of LDAP queries sent to the domain controller that retrieve the list of domain user account for which the account options userAccountControl has been misconfigured with the flag Do not require Kerberos preauthentication. Specifically, we observe a crafted LDAP search filter query is then sent to the DC with a specific constant value of 4194304 for the userAccountControl field attribute value. This retrieves those potentially exploitable domain user accounts. An article from Microsoft lists some of the relevant LDAP search filters and their values.
Figure 2 is the relevant code fragment from the impacket python-based source code (GetNPUsers.py) which demonstrates how the LDAP searchRequest packet structure looks:
Figure 2: impacket (GetNPUsers.py) LDAP searchRequest filter
Figure 3 shows a crafted LDAP searchRequest request sent from the client/attacker to the DC where the userAccountControl attribute value has been set to 4194304.
Threat Hunting for AS-REP Roasting with Arista NDR
The Arista NDR platform’s powerful protocol decoder engine parses the LDAP protocol, filter structures, and indexes a variety of attributes to support a high-speed search for network events.
Running a query with Arista’s Adversarial Modeling Language (AML) activity.ldap.filter like r/4194304/ yields a number of relevant records for the chosen time window (Figure 4). Arista NDR also provides flexibility to perform a literal string search for the complete LDAP filter attribute value, if desired.
It is highly recommended that domain administrators:
- configure the domain user account with the appropriate account options through the Active Directory Users and Computers (dsa.msc) wizard. Verify the “Do not require Kerberos preauthentication” option is disabled for all domain user accounts.
- audit the domain user account policies and permissions on a regular basis to ensure they are not misconfigured.
- disable Kerberos PreAuth options by executing the following powershell cmdlets:
Arista NDR identifies enumeration attempts through the Adversarial Modeling Language (AML) via an existing model “Discovery: Potential Domain User Accounts Susceptible To Kerberos AS-REP Roasting”. If you have questions about Active Directory attack abuse please contact us.
If you liked what you just read, subscribe to hear about our threat research and security analysis.
Sr. Threat Researcher
Dig Deeper with These Resources
Awake Security 2 Minute Explainer Video
What if security could think? What if it could sense danger, calculate risk, and react quickly based…
The Internet’s New Arms Dealers: Malicious Domain Registrars
This report dives into the results of a multi-month investigation that uncovered a massive global surveillance campaign…