splunk · thegreatmhn · Oct 23, 2025 · nasbench · Oct 23, 2025 · thegreatmhn
@@ -0,0 +1,61 @@
+name: Active Directory AS-REP Roasting Detection
+id: ab5e7322-fa7c-4752-b174-121db4ea54db
+version: 1
+date: '2025-10-23'
+author: Mahdi Hamedani Nezhad
+status: production
+type: Correlation
+data_source: []
+description: The following analytic identifies potential credential access activity
+  targeting Active Directory (AD) user accounts through AS-REP roasting techniques.
+  It detects this behavior by monitoring Kerberos AS-REQ events (EventCode 4768) that
+  request Ticket-Granting Tickets (TGTs) without pre-authentication (PreAuthType=0).
+  This condition typically occurs when an account has the "Do not require Kerberos
+  pre-authentication" flag enabled, which adversaries can exploit to obtain encrypted
+  credentials for offline password cracking. This is significant for a SOC as it highlights
+  attempts to enumerate or harvest weakly protected user accounts, potentially exposing
+  valid credentials. If confirmed malicious, this activity could enable attackers
+  to gain unauthorized access to AD services and escalate privileges within the domain.
+search: '`wineventlog_security` EventCode=4768 ServiceName=krbtgt PreAuthType=0 
+  | search NOT TargetUserName="*$"
+  | stats count min(_time) as firstTime max(_time) as lastTime by TargetUserName ServiceName src_ip dest 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
+  | `active_directory_as_rep_roasting_detection`'
+how_to_implement: Splunk Enterprise Security is required to utilize this correlation.
+  Ensure that Windows Security Event Logs (EventCode 4768) are being ingested from
+  all domain controllers. Modify the count threshold as appropriate for your environment.
+  In testing, three or more events in a short period may indicate enumeration or roasting
+  behavior. Tune filters and thresholds to reduce false positives.
+known_false_positives: False positives may occur in environments with legacy or service
+  accounts that legitimately have pre-authentication disabled. These accounts should
+  be reviewed and filtered as appropriate.
+references:
+- https://attack.mitre.org/techniques/T1558/004/
+- https://adsecurity.org/?p=2293
+- https://research.splunk.com/stories/active_directory_privilege_escalation/
+drilldown_searches:
+- name: View the detection results for - "$TargetUserName$"
+  search: '%original_detection_search% | search TargetUserName = "$TargetUserName$"'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+- name: View related Kerberos activity for - "$src_ip$"
+  search: 'index=windows (EventCode=4768 OR EventCode=4769 OR EventCode=4771) src_ip="$src_ip$"
+    | stats count min(_time) as firstTime max(_time) as lastTime values(TargetUserName)
+    as "Target Users" values(EventCode) as "Event Codes" by src_ip dest
+    | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`'
+  earliest_offset: $info_min_time$
+  latest_offset: $info_max_time$
+tags:
+  analytic_story:
+  - Active Directory Privilege Escalation
+  - Credential Access via Kerberos
+  asset_type: Endpoint
+  atomic_guid: []
+  mitre_attack_id:
+  - T1558.004
+  product:
+  - Splunk Enterprise
+  - Splunk Enterprise Security
+  - Splunk Cloud
+  security_domain: endpoint