T1558.004Credential Access

AS-REP Roasting

Request AS-REP for users with DONT_REQUIRE_PREAUTH and crack the returned blob offline.

§ Where this technique fits

T1558.004 is catalogued under the Credential Access tactic of the offensive-security kill-chain. It appears in 1 approved dossier in the registry, typically at step 2 on average.

Authoritative reference: attack.mitre.org/techniques/T1558/004/.

§ Dossiers chaining this technique

AS-REP roast → cracked user → Kerberoast → service-account admin
Anonymous attacker recovers a user password via AS-REP roasting, authenticates, kerberoasts a service account with weak password, and lands on a high-value server.
step 2 / 8

§ What commonly comes next

01
Brute Force
T1110 · Credential Access
seen 1×

§ Where this technique fits

§ Dossiers chaining this technique

AS-REP roast → cracked user → Kerberoast → service-account admin

§ What commonly comes next